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Abstract 



This is the third of three papers describing zap, a satisfiabiUty engine that substantially 
generalizes existing tools while retaining the performance characteristics of modern high- 
performance solvers. The fundamental idea underlying ZAP is that many problems passed to 
such engines contain rich internal structure that is obscured by the Boolean representation 
used; our goal has been to define a representation in which this structure is apparent and 
can be exploited to improve computational performance. The first paper surveyed existing 
work that (knowingly or not) exploited problem structure to improve the performance of 
satisfiability engines, and the second paper showed that this structure could be understood 
in terms of groups of permutations acting on individual clauses in any particular Boolean 
theory. We conclude the series by discussing the techniques needed to implement our ideas, 
and by reporting on their performance on a variety of problem instances. 

1. Introduction 

This is the third of a series of three papers describing zap, a satisfiability engine that 
substantially generalizes existing tools while retaining the performance characteristics of 
modern high-performance solvers such as zChaff (Moskewicz, Madigan, Zhao, Zhang, & 
Malik, 2001). In the first two papers in this series, we made arguments to the effect that: 

• Many Boolean satisfiability problems incorporate a rich structure that reflects prop- 
erties of the domain from which the problems arise, and recent improvements in the 
performance of satisfiability engines can be understood in terms of their ability to 
exploit this structure (Dixon, Ginsberg, & Parkes, 2004b, to which we will refer as 
ZAPl). 

• The structure itself can be understood in terms of groups (in the algebraic sense) of 
permutations acting on individual clauses (Dixon, Ginsberg, Luks, &: Parkes, 2004a, 
to which we will refer as zap2). 

(c)2005 AI Access Foundation. All rights reserved. 
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We showed that an implementation based on these ideas could be expected to combine 
the attractive computational properties of a variety of recent ideas, including efficient imple- 
mentations of unit propagation (Zhang & Stickel, 2000) and extensions of the Boolean lan- 
guage to include cardinality or pseudo-Boolean constraints (Barth, 1995; Dixon &; Ginsberg, 
2000; Hooker, 1988), parity problems (Tseitin, 1970), or a limited form of quantification 
known as QPROP (Ginsberg & Parkes, 2000). In this paper, we discuss the implementation 
of a prover based on these ideas, and describe its performance on pigeonhole, parity and 
clique coloring problems. These classes of problems are known to be exponentially difficult 
for conventional Boolean satisfiability engines, and their formalization also highlights the 
group-based nature of the reasoning involved. 

From a technical point of view, this is the most difficult of the three ZAP papers; we need 
to draw on the algorithms and theoretical constructions from ZAP2 and on results from com- 
putational group theory (GAP Group, 2004; Seress, 2003) regarding their implementation. 
Our overall plan for describing the implementation is as follows: 

1. Section 2 is a review of material from ZAP2. We begin in Section 2.1 by presenting both 
the Boolean satisfiability algorithms that we hope to generalize and the basic algebraic 
ideas underlying ZAP. Section 2.2 describes the group-theoretic computations required 
by the ZAP implementation. 

2. Section 3 gives a brief - and necessarily incomplete - introduction to some of the ideas 
in computational group theory that we use. 

3. Sections 4 and 5 describe the implementations of the computations discussed in Sec- 
tion 2. For each basic construction, we describe the algorithm used and give an 
example of the computation in action. If there is an existing implementation of some- 
thing in the public domain system GAP (2004), we only provide a pointer to that 
implementation; for concepts that we needed to implement from scratch, additional 
detail is provided. 

4. Section 6 extends the basic algorithms of Section 5 to deal with unit propagation, 
where we want to compute not a single unit clause instance, but a list of all of the 
unit consequences of an augmented clause. 

5. Section 7 discusses the implementation of Zhang and Stickel's (2000) watched literal 
idea in our setting. 

6. Section 8 describes a technique that can be used to select among the possible resolvents 
of two augmented clauses. This is functionality with no analog in a conventional 
prover, where there is only a single ground reason for the truth or falsity of any given 
variable. If the reasons are augmented clauses, there may be a variety of ways in 
which ground instances of those clauses can be combined. 

7. After describing the algorithms, we present experimental results regarding perfor- 
mance in Sections 9 and 10. Section 9 reports on the performance of ZAP's individual 
algorithmic components, while Section 10 contrasts zap's overall performance to that 
of its CNF-based predecessors.^ Since our focus in this paper is on the algorithms 

1. A description of zap's input language is contained in Appendix B. 
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needed by ZAP, we report performance only for relatively theoretical examples that 
clearly involve group-based reasoning. Performance on a wider range of problem 
classes will be reported elsewhere. 

8. Concluding remarks appear in Section 11. 

Except for Section 3, proofs are generally deferred to Appendix A in the interests of main- 
taining the continuity of our exposition. Given the importance of computational group 
theory to the ideas that we will be presenting, we strongly suggest that the reader work 
through the proofs in Section 3 of the paper. 

This is a long and complex paper; we make no apologies. Zap is an attempt to synthesize 
two very different fields, each complex in its own right: computational group theory and 
implementations of Boolean satisfiability engines. Computational group theory, in addition 
to its inherent complexity, is likely to be foreign to an AI audience. Work on complete 
algorithms for Boolean satisfiability has also become increasingly sophisticated over the 
past decade or so, with the introduction of substantial and nonintuitive modifications to the 
original dpll algorithm such as relevance-bounded learning (Bayardo & Miranker, 1996; 
Bayardo & Schrag, 1997; Ginsberg, 1993) and watched literals (Zhang & Stickel, 2000). 
As we bring these two fields together, we will see that a wide range of techniques from 
computational group theory is relevant to the problems of interest to us; our goal is also 
not simply to translate DPLL to the new setting, but to show that all of the recent work 
on Boolean satisfiability can be moved across. In at least one case (Lemma 5.26), we also 
need to extend existing computational group theory results. And finally, there are new 
satisfiability techniques and possibilities that arise only because of the synthesis that we are 
proposing (Section 8), and we will describe some of those as well. 

This paper is not intended to be self-contained. We assume throughout that the reader 
is familiar with the material that we presented in ZAP2; some of the results from that paper 
are repeated here for convenience, but the accompanying text is not intended to stand alone. 

Finally - and in spite of the disclaimers of the previous two paragraphs - this paper is 
not intended to be complete. Our goal is to present a practical minimum of what is required 
to implement an effective group-based reasoning system. The results that we have obtained, 
both theoretical as described in ZAP2 and practical as described here, excite us. But we arc 
just as excited by the number of issues that we have not yet explored. Our primary goal is 
to present the foundation needed if other interested researchers are to explore these ideas 
with us. 

2. ZAP Fundamentals and Basic Structure 

Our overview of ZAP involves summarizing work from two distinct areas: existing Boolean 
satisfiability engines, and the group-theoretic elements underlying ZAP. 

2.1 Boolean Satisfiability 

We begin with a description of the architecture of modern Boolean satisfiability engines. 
We start with the unit propagation procedure, which we describe as follows: 
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Definition 2.1 Given a Boolean satisfiability problem described in terms of a set C of 
clauses, a partial assignment is an assignment of values (true or false) to some subset 
of the variables appearing in C. We represent a partial assignment P as a sequence of 
consistent literals P = {U) where the appearance of Vi in the sequence means that Vi has 
been set to true, and the appearance of -iVj means that Vi has been set to false. 

An annotated partial assignment is a sequence P = {{li,Ci)) where Ci is the reason for 
the associated choice li. If Ci = true, it means that the variable was set as the result of a 
branching decision; otherwise, Ci is a clause that entails li by virtue of the choices of the 
previous Ij for j < i. An annotated partial assignment will be called sound with respect to 
a set of constraints C if C \= Ci for each reason ci. (See ZAP2 for additional details.) 

Given a (possibly annotated) partial assignment P, we denote by S{P) the literals that 
are satisfied by P, and by U (P) the set of literals that are unvalued by P. 

Procedure 2.2 (Unit propagation) To compute \JmT-PROPAGATE{C, P) for a set C of 

clauses and an annotated partial assignment P = {{h, ci), . . . , {In, Cn))- 

1 while there is a c G C with c n S{P) = and |c n C/(P)| < 1 



7 return (false, P) 

The result returned depends on whether or not a contradiction was encountered during 
the propagation, with the first result returned being true if a contradiction was found and 
false if none was found. In the former case, where the clause c has no unvalued literals 
(line 2), li is the last literal set in c, and q is the reason that li was set in a way that caused 
c to be unsatisfiable. We resolve c with q and return the result as a new nogood for the 
problem in question. Otherwise, we eventually return the partial assignment, augmented 
to include the variables that were set during the propagation process. 

Given unit propagation, the overall inference procedure is the following: 

Procedure 2.3 (Relevance-bounded learning, rbl) Given a sat problem C, a set of 
learned nogoods D and an annotated partial assignment P, to compute RBl{C,D,P): 



2 
3 
4 
5 
6 
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1 (x, y) unit-propagate(C U D, P) 

2 if x = true 



3 then c ^ y 

4 if c is empty 

5 then return FAILURE 

6 else remove successive elements from P so that c is unit 

7 learn(Z), P, c) 

8 return rbl(C, D, P) 

9 else P y 

10 if P is a solution to C 

11 then return P 

12 else / <— a literal not assigned a value by P 

13 return rbl(C, D, {P, {I, true))) 



As might be expected, the procedure is recursive. If at any point unit propagation pro- 
duces a contradiction c, we use the (currently unspecified) learn procedure to incorporate c 
into the solver's current state, and then recurse. If c is empty, it means that we have derived 
a contradiction and the procedure fails. In the backtracking step (line 6), we backtrack not 
just until c is satisfiable, but until it enables a unit propagation. This technique is used in 
zChaff (Moskewicz et al., 2001). It leads to increased flexibility in the choice of variable 
to be assigned after the backtrack is complete, and generally improves performance. 

If unit propagation does not indicate the presence of a contradiction or produce a solution 
to the problem in question, we pick an unvalued literal, set it to true, and recurse again. 
Note that we don't need to set the literal I to true or false; if we eventually need to backtrack 
and set / to false, that will be handled by the modification to P in line 6. 

Finally, we need to present the procedure used to incorporate a new nogood into the 
clausal database C. In order to do that, we make the following definition: 

Definition 2.4 Let Vili be a clause, which we will denote by c, and let P be a partial 
assignment. We will say that the possible value of c under P is given by 

poss(c,P) = |{ihli ^P}|-1 

If no ambiguity is possible, we will write simply poss(c) instead o/poss(c, P). In other 
words, poss(c) is the number of literals that are either already satisfied or not valued by P, 
reduced by one (since the clause requires at least one true literal). 

Note that poss(c, P) = |c n \U{P) U ^(P)]! — 1, since each expression is one less than the 
number of potentially satisfied literals in c. 

The possible value of a clause is essentially a measure of what other authors have called 
its irrelevance (Bayardo k. Miranker, 1996; Bayardo & Schrag, 1997; Ginsberg, 1993). An 
unsatisfied clause c with poss(c, P) = can be used for unit propagation; we will say that 
such a clause is unit. If poss(c, P) = 1, it means that a change to a single variable can 
lead to a unit propagation, and so on. The notion of learning used in relevance-bounded 
inference is now captured by: 
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Procedure 2.5 Given a set of clauses C and an annotated partial assignment P, to com- 
pute learn(C, P, c), the result of adding to C a clause c and removing irrelevant clauses: 

1 remove from C any d E C with poss{d, P) > k 

2 return C U {c} 

We hope that all of this is familiar; if not, please refer to ZAP2 or to the other papers 
that we have cited for fuller explanations. 

In ZAP, we continue to work with these procedures in approximately their current form, 
but replace the idea of a clause (a disjunction of literals) with that of an augmented clause: 

Definition 2.6 An augmented clause in an n-variable Boolean satisfiability problem is a 
pair (c, G) where c is a Boolean clause and G is a group such that G < Wn- A (nonaug- 
mented) clause d is an instance of an augmented clause {c,G) if there is some g E G such 
that d = c^ ? The clause c itself will be called the base instance of (c, G). 

Roughly speaking, an augmented clause consists of a conventional clause and a group G 
of permutations of the literals in the theory; the intent is that we can act on the clause with 
any element of the group and still get a clause that is "part" of the original theory. The 
group G is required to be a subgroup of the group of "permutations and complementations" 
(Harrison, 1989) Wn = S2I Sn, where each permutation g E G can permute the variables 
in the problem and flip the signs of an arbitrary subset as well. We showed in ZAP2 that 
suitably chosen groups correspond to cardinality constraints, parity constraints (the group 
flips the signs of any even number of variables), and universal quantification over finite 
domains. 

We must now lift the previous three procedures to an augmented setting. In unit 
propagation, for example, instead of checking to see if any clause c G C is unit given the 
assignments in P, we now check to see if any augmented clause (c, G) has a unit instance. 
Other than that, the procedure is essentially unchanged from Procedure 2.2: 

Procedure 2.7 (Unit propagation) To compute Unit-Propagate(C, P) for a set of 
clauses C and an annotated partial assignment P = ((/i, ci), . . . , (Z„, c„)): 



1 while there is a (c, G) € C and g e G with n S{P) = and \c3 n U{P)\ < 1 



7 return (false, P) 



The basic inference procedure itself is also virtually unchanged: 



2. As in zap2 and as used by the computational group theory community, we denote the image of a clause 

c under a group clement g by instead of the possibly more familiar g{c). As explained in zap2, this 
reflects the fact that the composition fg of two permutations acts with / first and with g second. 



2 
3 
4 
5 
6 
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Procedure 2.8 (Relevance-bounded learning, rbl) Given a SAT problem C, a set of 
learned clauses D, and an annotated partial assignment P, to compute RBl{C, D, P): 

1 {x,y) ^ UNIT-PRO PAG ATE(C U D,P) 

2 if .T = true 

3 then (c, G) ^ y 

4 if c is empty 

5 then return FAILURE 

6 else remove successive elements from P so that c is unit 

7 D ^ learii(D,P,(c,G)) 

8 return rbl(C, D, P) 

9 else P ^ y 

10 if P is a sohition to G 

11 then return P 

12 else I <— a literal not assigned a value by P 

13 return rbl(C, D, {P, {I, true))) 

In line 3, although unit propagation returns an augmented clause (c, G), the base instance 
c is still the reason for the backtrack by virtue of line 6 of Procedure 2.7. It follows that 
line 6 of Procedure 2.8 is unchanged from the Boolean version. 

To lift Procedure 2.5 to our setting, we need an augmented version of Definition 2.4: 

Definition 2.9 Let (c, G) be an augmented clause, and P a partial assignment. Then by 
poss((c, G), P) we will mean the minimum possible value of an instance of {c,G), so that 

poss((c, G), P) = minposs(c^, P) 



Procedure 2.5 can now be used unchanged, with d being an augmented clause instead of a 
simple one. The effect of Definition 2.9 is to cause us to remove only augmented clauses for 
which every instance is irrelevant. Presumably, it will be useful to retain the clause as long 
as it has some relevant instance. 

In ZAP 2, we showed that a proof engine built around the above three procedures would 
have the following properties: 

• Since the number of generators of a group can be made logarithmic in the group size, 
it would achieve exponential improvements in basic representational efficiency. 

• Since only fe-relevant nogoods are retained as the search proceeds, the memory re- 
quirements remain polynomial in the size of the problem being solved. 

• It can produce polynomially sized proofs of the pigeonhole and clique coloring prob- 
lems, and any parity problem. 

• It generalizes first-order inference provided that all quantifiers are universal and all 
domains of quantification are finite. 

We stated without proof (and will show in this paper) that the unit propagation proce- 
dure 2.7 can be implemented in a way that generalizes both subsearch (Ginsberg &; Parkes, 
2000) and Zhang and Stickel's (2000) watched literal idea. 
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2.2 Group-Theoretic Elements 

Examining the above three procedures, the elements that are new relative to Boolean engines 
are the following: 

1. In line 1 of the unit propagation procedure 2.7, we need to find unit instances of an 
augmented clause (c, G) . 

2. In line 4 of the same procedure 2.7, we need to compute the resolvent of two augmented 
clauses. 

3. In line 1 of the learning procedure 2.5, we need to determine if an augmented clause 
has any relevant instances. 

The first and third of these needs are different from the second. For resolution, we need 
the following definitions: 

Definition 2.10 For a permutation p and set S with = S, by p\s we will mean the 
restriction of p to the given set, and we will say that p is a lifting ofp\s back to the original 
set on which p acts. 

Definition 2.11 For a set Q, we will denote by Sym(J7) the group of permutations of CI. 
If G < Sym(r2) is a subgroup of this group and S <Q,, we will say that G acts on S.^ 

Definition 2.12 Suppose that G acts on a set S. Then for any x G S, the orbit of x in G, 
to be denoted by x'^ , is given by = {x^\g G G}. IfT C S, then the G-closure ofT, to be 
denoted , is the set 

T° = {t<^\t eT andgeG} 

Definition 2.13 For Ki, . . . , Kn ^ $7 and Gi, . . . , G„ < Sym(r2), we will say that a per- 
mutation (jj G Sym(r2) is a stable extension of Gi, . . . , G„ for ivTi, . . . , Kn if there are gi G Gi 
such that for all i, oj\ Oi = gi\r^Gi . We will denote the set of stable extensions ofG\, . . . , G„ 

i i 

for Ki,...,Kn by stab(Xi, Gi). 

The set of stable extensions stab^Ki, Gi) is closed under composition, and is therefore a 
subgroup of Sym(r2). 

Definition 2.14 Suppose that (ci,Gi) and (£2,^2) are augmented clauses. Then the re- 
sult 0/ resolving (ci,Gi) and {c2,G2), to be denoted by resolve((ci, Gi), (c2, G2)), is the 
augmented clause (resolve(ci, C2), stab(cj, Gi) fl Wn). 

It follows from the above definitions that computing the resolvent of two augmented 
clauses as required by Procedure 2.7 is essentially a matter of computing the set of stable 
extensions of the groups in question. Wc will return to this problem in Section 4. 

The other two problems can both be viewed as instances of the following: 

3. For convenience, we depart from standard usage and permit G to map points in S to images outside 
of S. 
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Definition 2.15 Let c be a clause, viewed as a set of literals, and G a group of permutations 
acting on c. Now fix sets of literals S and U , and an integer k. We will say that the k- 
transporter problem is that of finding a g £ G such that H S = and \c^ riU\ < k, or 
reporting that no such g exists. 

To find a unit instance of (c, G) , we set S to be the set of satisfied literals and U the 
set of unvalued literals. Taking k = 1 implies that we are searching for an instance with no 
satisfied and at most one unvalued literal. 

To find a relevant instance, we set S = and U to be the set of all satisfied or unvalued 
literals. Taking k to be the relevance bound corresponds to a search for a relevant instance. 

The remainder of the theoretical material in this paper is therefore focused on these two 
problems: computing the stable extensions of a pair of groups, and solving the ^-transporter 
problem. Before we discuss the techniques used to solve these two problems, we present a 
brief overview of computational group theory generally. 

3. Computational Group Theory 

Both group theory at large and computational group theory specifically (the study of ef- 
fective computational algorithms that solve group-theoretic problems) are far too broad 
to allow detailed presentations in a single journal paper. We ourselves generally refer to 

Rotman's An Introduction to the Theory of Groups (1994) for general information, and 
to Seress' Permutation Group Algorithms (2003) for computational group theory specifi- 
cally, although there are many excellent texts in both areas. There is also an abbreviated 
introduction to group theory in ZAP2. 

If we cannot substitute for these other references, our goal here is to provide enough 
general understanding of computational group theory that it will be possible to work through 
some examples in what follows. With that in mind, there are three basic ideas that we hope 
to convey: 

1. Stabilizer chains. These underlie the fundamental technique whereby large groups are 
represented efficiently. They also underlie many of the subsequent computations done 
using those groups. 

2. Group decompositions. Given a group G and a subgroup H < G, H can be used in 
a natural way to partition G. Each of the partitions can itself be partitioned using a 
subgroup of H, and so on; this gradual refinement underpins many of the search-based 
group algorithms that have been developed. 

3. Lex-leader search. In general, it is possible to establish a lexicographic ordering on the 
elements of a permutation group; if we are searching for an element of the group having 
a particular property (as in the fc-transporter problem), we can assume without loss 
of generality that we arc looking for an element that is minimal under this ordering. 
This often allows the search to be pruned, since any portion of the search that can be 
shown not to contain such a minimal element can be eliminated. 
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3.1 Stabilizer Chains 

While the fact that a group G can be described in terms of an exponentially smaller number 
of generators is attractive from a representational point of view, there are many issues that 
arise if a large set of clauses is represented in this way. Perhaps the most fundamental 
is that of simple membership: How can we tell if a fixed clause c' is an instance of the 
augmented clause (c, G)l 

In general, this is an instance of the 0-transportcr problem; we need some g £ G for 
which c^, the image of c under g, does not intersect the complement of c'. A simpler but 
clearly related problem assumes that we have a fixed permutation g such that = c'; is 
g e G or not? Given a representation of G in terms simply of its generators, it is not 
obvious how this can be determined quickly. 

Of course, if G is represented via a list of all of its elements, we could sort the elements 
lexicographically and use a binary search to determine if g were included. Virtually any 
problem of interest to us can be solved in time polynomial in the size of the groups involved, 
but we would like to do better, solving the problems in time polynomial in the total size 
of the generators, and therefore generally polynomial in the logarithm of the size of the 
groups (and so polylog in the size of the original clausal database) . We will call a procedure 
polynomial only if it is indeed polytime in the number of generators of G and in the size of 
the set of literals on which G acts. It is only for such polynomial procedures that we can 
be assured that zap's representational efficiencies will mature into computational gains. 

For the membership problem, that of determining if y G G given a representation of G 
in terms of its generators, we need to have a coherent way of understanding the structure 
of the group G itself. We suppose that G is a subgroup of the group Sym(r2) of symmetries 
of some set Q, and we enumerate the elements of $7 as = {/i, . . . , 

There will now be some subset G^^l C G that fixes h in that for any we have 

li = h. It is easy to see that G'^l is closed under composition, since if any two elements fix 
h, then so does their composition. It follows that G'^I is a subgroup of G. In fact, we have: 

Definition 3.1 Given a group G acting on a set Jl and a subset L C $7, the point stabilizer 
of L is the subgroup Gl < G of all g E G such that l^ = I for every I E L. The set stabilizer 
of L is that subgroup G^^y < G of all g E G such that = L. 

Having defined G'^I as the point stabilizer of h, we can go on to define G'^I as the 
point stabilizer of I2 within G^l, so that G^^l is in fact the point stabilizer of {hjh} in G. 
Similarly, we define G^*"'"^] to be the point stabilizer of Zj in G^*' and thereby construct a 
chain of stabilizers 

G = Gl^l > gI^I > • • • > gM = 1 

where the last group is necessarily trivial because once n — 1 points of O, are stabilized, the 
last point must be also. 

If we want to describe G in terms of its generators, we will now assume that we describe 
all of the GW in terms of generators, and furthermore, that the generators for G'*' are a 
superset of the generators for G[*+^1. We can do this because G^^+^J is a subgroup of Gl^l. 

4. The development of computationally efficient procedures for solving permutation group problems appears 
to have begun with Sims' (1970) pioneering work on stabilizer chains. 
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Definition 3.2 A strong generating set S for a group G < Sym(Zi, . . . , Z„) is a set of 

generators for G with the property that 

{s n gW) = gI^] 

for i = 1, . . . ,n. 

As usual, {gi) denotes the group generated by the gi. 

It is easy to see that a generating set is strong just in case it has the property discussed 
above, in that each G^*! can be generated incrementally from and the generators that 

are in fact elements of - G^'+'^l 

As an example, suppose that G = S4, the symmetric group on 4 elements (which we 
denote 1,2,3,4). Now it is not hard to see that 5*4 is generated by the 4-cycle (1,2,3,4) 
and the transposition (3,4), but this is not a strong generating set. G^^l is the subgroup of 
S4 that stabilizes 1 (and is therefore isomorphic to ^3, since it can randomly permute the 
remaining three points) but 

{s n gP]) = ((3, 4)) = g[3] ^ gPI (1) 

If we want a strong generating set, we need to add (2,3,4) or a similar permutation to the 
generating set, so that (1) becomes 

(SnGPl) = ((2, 3, 4), (3, 4)) =G[2] 

Here is a slightly more interesting example. Given a permutation, it is always possible 
to write that permutation as a composition of transpositions. One possible construction 
maps 1 where it is supposed to go, then ignores it for the rest of the construction, and so 
on. Thus we have for example 

(1,2,3,4) = (1,2)(1,3)(1,4) (2) 

where the order of composition is from left to right, so that 1 maps to 2 by virtue of the 
first transposition and is then left unaffected by the other two, and so on. 

While the representation of a permutation in terms of transpositions is not unique, the 
parity of the number of transpositions is; a permutation can always be represented as a 
product of an even or an odd number of transpositions, but not both. Furthermore, the 
product of two transposition products of lengths li and I2 can obviously be represented as 
a product of length li + I2, and it follows that the product of two "even" permutations is 
itself even, and we have: 

Definition 3.3 The alternating group of order n, to be denoted by A^, is the subgroup of 
even permutations of Sn ■ 

What about a strong generating set for An? If we fix the first n — 2 points, then the 
transposition (n — l,n) is obviously odd, so we must have a\^ = 1, the trivial group. 
For any smaller i, we can get a subset of An by taking the generators for Sfi and operating 
on each as necessary with the transposition (n — l,n) to make it even. It is not hard to 
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see that an n-cycle is odd if and only if n is even (consider (2) above) , so given the strong 
generating set 

{(n - 1, n), (n - 2, n - 1, n), . . . , (2, 3, . . . , n), (1, 2, . . . , n)} 
for Sn, a strong generating set for if n is odd is 

{{n — 2, n — 1, n), (n — 1, n){n — 3, n — 2, n — 1, n), . . . , (n — 1, n)(2, 3, . . . , n), (1, 2, ... , n)} 

and if n is even is 

{(n — 2, n — 1, n), (n — 1, n){n — 3, n — 2, n — 1, n), . . . , (2, 3, . . . , n), (n — 1, n)(l, 2, . . . , n)} 
We can simphfy these expressions sUghtly to get 

{(n - 2, n - 1, n), (n - 3, n - 2, n - 1), . . . , (2, 3, . . . , n - 1), (1, 2, . . . , n)} 
if n is odd and 

{(n-2,n-l,n),(n-3,n-2,n-l),...,(2,3,...,n),(l,2,...,n-l)} 
if n is even. 

Given a strong generating set, it is easy to compute the size of the original group G. To 
do this, we need the following well known definition and result: 

Definition 3.4 Given groups H < G and g E G, we define Hg to he the set of all hg for 
h E H. For any such g, we will say that Hg is a (right) coset of H in G. 

Proposition 3.5 Let Hgi and Hg2 be two cosets of H in G. Then \Hgi\ = \Hg2\ and the 
cosets are either identical or disjoint. □ 

In other words, given a subgroup of a group G, the cosets of H partition G. This 
leads to: 

Definition 3.6 For groups H < G, the index of H in G, denoted [G : H\, is the number 
of distinct cosets of H in G. 

Corollary 3.7 For a finite group G, [G : H] = ]^^. □ 

Given that the cosets partition the original group G, it is natural to think of them as 
defining an equivalence relation on G, where x ^ y ii and only if x and y belong to the 
same coset of H. We have: 

Proposition 3.8 x ^ y if and only if xy~^ G H. 

Proof. If xy^^ = h e H and a; is in a coset Hg so that x = h'g for some h' G H, then 
y = h~^x = h^^h'g is in the same coset. Conversely, ii x = hg and y = h'g are in the same 
coset, then xy~^ = hgg~^h'~^ = hh'^^ G if. □ 

Many equivalence relations on groups are of this form. Indeed, if is any right invariant 
equivalence relation on the elements of a group G (so that \i x y, then xz ^ yz for any 
2 G G), then there is some H < G such that the cosets of H define the equivalence relation. 

Returning to stabilizer chains, recall that we denote by /f the orbit of li under GW 
(i.e, the set of all points to which maps li). We now have: 
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Proposition 3.9 Given a group G acting on a set {Zi,...,Zn} O'^d associated stabilizer 
chain GW > ••• > G^^ 

iGi=ni^f'i (3) 



Proof. We know that 



or inductively that 



|G| = JJ[G[^1 : gI' 



But it is easy to see that the distinct cosets of GI*"*"^! in GW correspond exactly to the points 
to which GW maps Zj, so that 

[G-W .G[^+il] = |zf' I 

and the result follows. □ 

Note that the expression in (3) is easy to compute given a strong generating set. As an 
example, given the strong generating set {(1,2,3,4), (2,3,4), (3,4)} for 5*4, it is clear that 
S'P = ((3,4)) and the orbit of 3 is of size 2. The orbit of 2 in sf = ((2,3,4), (3,4)) is of 

size 3, and the orbit of 1 in 5*1^' is of size 4. So the total size of the group is 4! = 24, hardly 
a surprise. 

For Aa, a strong generating set is {(3, 4)(1, 2, 3, 4), (2, 3, 4)} = {(1, 2, 3), (2, 3, 4)}. The 
orbit of 2 in = ((2,3,4)) is clearly of size 3, and the orbit of 1 in Al^ = A4 is of 
size 4. So 1^4! = 12. In general, of course, there are exactly two cosets of the alternating 
group because all of the odd permutations can be constructed by multiplying the even 
permutations in An by a fixed transposition t. Thus = n!/2. 

Wc can evaluate the size of An using strong generators by realizing that the orbit of 1 
is of size n, that of 2 is of size n — 1, and so on, until the orbit of n — 2 is of size 3. The 
orbit of n — 1 is of size 1, however, since the transposition (ra — 1,77,) is not in An- Thus 
\An\ = n!/2 as before. 

We can also use the strong generating set to test membership in the following way. 
Suppose that we have a group G described in terms of its strong generating set (and therefore 
its stabilizer chain G'^I > • • • > G'"^!), and a specific permutation uj. Now if u;(l) = k, there 
are two possibilities: 

1. If A; is not in the orbit of 1 in G = G^^l, then clearly uj ^G. 

2. If A; is in the orbit of 1 in G'^I, select gi G G^^l with 1^^ = gi{l) = k. Now we construct 
oji = ojg^^, which fixes 1, and we determine recursively if uji G G^l. 

At the end of the process, we will have stabilized all of the elements moved by G, and 
should have u>n+i = 1- If so, the original a; G G; if not, w G. This procedure is known as 
sifting. 

Continuing with our example, let us see if the 4-cycle u = (1, 2, 3, 4) is in ^4 and in A4. 
For the former, we see that u;(l) = 2 and (1,2,3,4) G 5^^^. This produces ui = 1, and we 
can stop and conclude that a; G >S'4 (once again, hardly a surprise). 
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For the second, we know that (1,2,3) G and we get oJi = (1, 2, 3, 4)(1, 2, 3)~^ = 

(3,4). Now we could actually stop, since (3,4) is obviously odd, but let us continue with 
the procedure. Since 2 is fixed by uji, we have uj2 = uJi. Now 3 is moved to 4 by u;2) but 
is the trivial group, so we conclude correctly that (1, 2, 3, 4) yl4. 

3.2 Coset Decomposition 

Some of the group problems that we will be considering (e.g., the fc-transporter problem) 
subsume what was described in ZAPl as subsearch (Dixon et al., 2004b; Ginsberg & Parkes, 
2000). Subsearch is known to be NP-hard, so it follows that fc-transporter must be as well. 
That suggests that the group-theoretic methods for solving it will involve search in some 
way. 

The search involves a potential examination of all of the instances of some augmented 
clause (c, G), or, in group theoretic terms, a potential examination of each member of the 
group G. The computational group theory community often approaches such a search 
problem by gradually decomposing G into smaller and smaller cosets. What we will call a 
coset decomposition tree is produced, where the root of the tree is the entire group G and 
the leaf nodes are individual elements of G: 

Definition 3.10 Let G be a group, and Gl^l > • • • > G^^^ a stabilizer chain for it. A coset 
decomposition tree for G is a tree whose vertices at the ith level are the cosets of G^^^ and 
for which the parent of a particular G^g' is that coset of G^*"^! that contains it. 

At any particular level i, the cosets correspond to the points to which the sequence {h, ■ ■ ■ 
can be mapped, with the points in the image of li identifying the children of any particular 
node at level i — 1. 

As an example, suppose that we consider the augmented clause 

(a V b, Sym(a, b, c, d)) (4) 

corresponding to the collection of ground clauses 

a V6 
a V c 
a 

6 Vc 
6 Vd 
cVd 

Suppose also that we are working with an assignment for which a and b are true and c 

and d are false, and are trying to determine if any instance of (4) is unsatisfied. Assuming 
that we take li to be a through I4 = d, the coset decomposition tree associated with 84^ is 
the following: 
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Sym(6, c, d 



Sym(c, d)/ 



(be) 



(bd) 




Sym(a, b, c, d) 



(bd) 



(be 



(bd) 




1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 1 (cd) 



An explanation of the notation here is surely in order. The nodes on the lefthand 
edge are labeled by the associated groups; for example, the node at level 2 is labeled with 
Sym(6, c, d) because this is the point at which we have fixed a but b, c and d are still allowed 
to vary. 

As we move across the row, we find representatives of the cosets that are being consid- 
ered. So moving across the second row, the first entry (ab) means that we are taking the 
coset of the basic group Sym(6, c, d) that is obtained by multiplying each element by (ab) 
on the right. This is the cosct that maps a uniformly to b. 

On the lower rows, we multiply the coset representatives associated with the nodes 
leading to the root. So the third node in the third row, labeled with (bd), corresponds to 
the coset Sym(c, d) • (bd).^ The two elements of this coset are (bd) and {cd){bd) = (bdc). 
The point b is uniformly mapped to d, a is fixed, and c can either be fixed or mapped to 6. 

The fourth point on this row corresponds to the coset 

Sym(c, d) • (ab) = {{ab), {cd){ab)} 

The point a is uniformly mapped to b, and b is uniformly mapped to a. c and d can be 
swapped or not. 

The fifth point is the coset 



Sym(c, d) • {bc){ab) = Sym(c, d) • (abc) = {{abc), (abed)} 



(5) 



a is still uniformly mapped to b, and b is now uniformly mapped to c. c can be mapped 
either to a or to d. 

For the fourth line, the basic group is trivial and the single member of the coset can be 
obtained by multiplying the coset representatives on the path to the root. Thus the ninth 
and tenth nodes (marked with asterisks in the tree) correspond to the permutations {abc) 
and (abed) respectively, and do indeed partition the coset of (5). 



5. As hero, wc will occasionally denote the group multiplication operator explicitly by • to improve the 

clarity of the typesetting. 
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Understanding how this structure is used in search is straightforward. At the root, the 
original augmented clause (4) may indeed have unsatisfiable instances. But when we move 
to the first child, we know that the image of a is o, so that the instance of the clause in 
question is a V x for some x. Since a is true for the assignment in question, it follows that 
the clause must be satisfied. In a similar way, mapping a to 6 also must produce a satisfied 
clause. The search space is already reduced to: 




1 {cd) 1 {cd) 1 {cd) 1 (cd) 1 {cd) 1 {cd) 



If we map a to c, then the first point on the next row corresponds to mapping b to b, 
producing a satisfiable clause. If we map 6 to a (the next node; b is mapped to c at this 
node but then c is mapped to a by the permutation (ac) labeling the parent), we also get a 
satisfiable clause. If we map b to d, we will eventually get an unsatisfiable clause, although 
it is not clear how to recognize that without expanding the two children. The case where a 
is mapped to d is similar, and the final search tree is: 




1 {cd) 1 (cd) 
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Instead of the six clauses that might need to be examined as instances of the original 
(4), only four leaf nodes need to be considered. The internal nodes that were pruned above 
can be pruned without generation, since the only values that need to be considered for a are 
necessarily c and d (the unsatisfied literals in the theory). At some level, then, the above 
search space becomes: 




1 {cd) 1 {cd) 



3.3 Lex Leaders 

Although the remaining search space in this example already examines fewer leaf nodes 
than the original, there still appears to be some redundancy. To understand one possible 
simplification, recall that we are searching for a group element g for which is unsatisfied 
given the current assignment. Since any such group element suffices, we can (if we wish) 
search for that group element that is smallest under the lexicographic ordering of the group 
itself: 

Definition 3.11 Let G < Sjm{Q,) be a group, and Q = L0i,...,L0n an ordering of the 
elements of Cl. For gi,g2 £ G, we will write gi < g2 if there is some i with u^^ = for 
all j < i and cof^ < cjf^ . 

Since the ordering defined by Definition 3.11 is a total order, we immediately have: 

Lemma 3.12 If S C. Sym(r2) for some ordered set i7, then S has a unique minimal 
element. □ 

The minimal element of S is typically called a lexicographic leader or lex leader of S. 

In our example, imagine that there were a solution (i.e., a group element corresponding 
to an unsatisfied instance) under the right hand node at depth three. Now there would 
necessarily also have been an analogous solution under the preceding node at depth three, 
since the two search spaces are in some sense identical. The two hypothetical group elements 
would be identical except the images of a and b would be swapped. Since the group elements 
under the left hand node precede those under the right hand node in the lexicographic 



457 



Dixon, Ginsberg, Hofer, Luks & Parkes 



ordering, it follows that the lexicographically least clement (which is all that we're looking 
for) is not under the right hand node, which can therefore be pruned. The search space 
becomes: 




1 (cd) 

This particular technique is quite general: whenever we are searching for a group ele- 
ment with a particular property, we can restrict our search to lex leaders of the set of all 
such elements and prune the search space on that basis. Seress (2003) provides a more 
complete discussion in the context of the problems typically considered by computational 
group theory; an example in the context of the fc-transporter problem specifically can be 
found in Section 5.5. 

Finally, we note that the two remaining leaf nodes are equivalent, since they refer to the 
same instance - once we know the images of a and of b, the overall instance is fixed and no 
further choices are relevant. So assuming that the variables in the problem are ordered so 
that those in the clause are considered first, we can finally prune the search below depth 
three to get: 




Only a single leaf node need be considered. 

Before we return to the application of these ideas in ZAP, we should stress that we have 
only scratched the surface of computational group theory as a whole. The field is broad 
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and developing rapidly, and the implementation in ZAP is based on ideas that appear in 
Seress and in the GAP code. Indeed, the name was chosen to reflect ZAP's heritage as an 
outgrowth of both zChaff and Gap.^ 

4. Augmented Resolution 

We now turn to our ZAP-specific requirements. First, we have the definition of augmented 
resolution, which involves computing the group of stable extensions of the groups appearing 

in the resolvents. Specifically, we have augmented clauses (ci, Gi) and (c2, G2) and need to 
compute the group G of stable extensions of Gi and G2. Recalling Definition 2.13, this is 
the group of all permutations to with the property that there is some gi € Gi such that 

t^l Gi = 5l| Gi 

and similarly for g2, G2 and 02- We are viewing the clauses q as sets, with c- ' being the 
closure of Ci under Gi (recall Definition 2.12). 
As an example, consider the two clauses 

(ci,Gi) = (aV6,((aa!),(6e),(6/))) 

and 

{c2,G2) = {cVb,{{be),{bg))) 

The closure of ci under Gi is {a,b,d,e,f} and c^^ = {b,c,e,g}. We therefore need to 
find a permutation u> such that when u is restricted to {a,b,d,e, f}, it is an element of 
{{ad), {be), (6/)), and when restricted to {b,c,e,g} is an element of {{be), {bg)). 

From the second condition, we know that c cannot be moved by uj, and any permutation 
of b, e and g is acceptable because {be) and {bg) generate the symmetric group Sym(6, e,^). 
This second restriction does not impact the image of a, d or / under u. 

From the first condition, we know that a and d can be swapped or left unchanged, and 
any permutation of b, e and / is acceptable. But recall from the second condition that we 
must also permute b, e and g. These conditions combine to imply that we cannot move / 
or g, since to move either would break the condition on the other. We can swap b and e 
or not, so the group of stable extensions is {{ad), {be)), and that is what our construction 
should return. 

Procedure 4.1 Given augmented clauses (ci,Gi) and {02, G2), to compute stab(cj, Gj); 

6. The authors of zCiiaff arc Moskcwicz, Madigan, Zhao, Zhang and Mahk; our selection of only Z to 
include in our acronym is surely unfair to Moskcwicz, Madigan and Malik. Zmap didn't have quite the 
same ring to it, however, and we hope that the implicitly excluded authors will accept our apologies for 
our choice. 
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1 c_closurei \ c_closure2 ^ C2 ^ 

2 gjrestrict^ ^ Gijc.ciosurei, g-restrict2 G2|c _closure2 

3 Cn <— c_closurei n c_closure2 

4 g_stabi ^ gjrestrict^(^^|, g_stab2 ^ g_restrict2|(^^} 

5 g-int <- g_stabi|cn n g_stab2|cn 

6 {gi} ^ {generators of g_int} 

7 {hi} ^ {fifj, lifted to g.stabj, {hi} ^ {^j, lifted to g_stab2} 
^ ihi} ^ {^2i|c_closure2-Cn} 

9 return (g.restrictic-^ , g_restrict2Cn , {hi ■ ^2?}) 

Proposition 4.2 The result returned by Procedure 4-1 is stab{ci,Gi). 

The proof is in Appendix A; here, we present an example of the computation in use and 
discuss the computational issues surrounding Procedure 4.1. The example we will use is 

that with which we began this section, but we modify Gi to be {{ad), {be), (bf), (xy)) instead 
of the earlier {{ad), (be), (bf)). The new points x and y don't affect the set of instances in 
any way, and thus should not affect the resolution computation, either. 

1. c_closurej ^ c^^ ^. This amounts to computing the closures of the q under the Gi] as 
described earlier, we have c_closurei = {a,b,d,e, f} and c_closure2 = {b,c,e,g}. 

2. g_restrictj ^ Gtlc.ciosurei- Here, we restrict each group to act only on the cor- 
responding c_closurej. In this example, gjrestrict2 = G2 but gjrestrict^ = 
{{ad), {be), {bf)) as the irrelevant points x and y are removed. 

Note that it is not always possible to restrict a group to an arbitrary set; one cannot 
restrict the permutation {xy) to the set {x} because you need to add y as well. But 
in this case, it is possible to restrict Gi to c_closurei, since this latter set is closed 
under the action of the group. 

3. Cn ^ c_closurei n c_closure2. The construction itself works by considering three 
separate sets - the intersection of the closures of the two original clauses (where 
the computation is interesting because the various u must agree), and the points in 
only the closure of ci or only the closure of C2- The analysis on these latter sets is 
straightforward; we just need u to agree with any element of Gi or G2 on the set in 
question. 

In this step, we compute the intersection region Cp. In our example, Cn = {b,e}. 

4. g_stab^ <— g_restrict^|^^|. We find the subgroup of g_restrict^ that set stabilizes 
Cn, in this case the subgroup that set stabilizes the pair {b,e}. For g_restrictj^ = 
{{ad), {be), {bf)), this is {{ad), {be)) because we can no longer swap b and /, while for 
g_restrict2 = {{be), {bg)), we get g-stab2 = {{be)). 

5. g_int g_stab]^|cp| fl g_stab2|cn- Since u must simultaneously agree with both 
Gi and C2 when restricted to Cn (and thus with g_restrict^ and g_restrict2 as 
well), the restriction of u to Cn must lie within this intersection. In our example, 
g_int = ((5e)). 
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6- {gi} {generators of g_int}. Any element of g-int will lead to an element of the 
group of stable extensions provided that we extend it appropriately from Cn back to 
the full set cf^ U c^^ ; this step begins the process of building up these extensions. It 
suffices to work with just the generators of g-int, and we construct those generators 
here. We have {gi} = {{be)}. 

7. {hi} ^ lifted to g_stab^}. Our goal is now to build up a permutation on 
c_closurei U c_closure2 that, when restricted to Cn, matches the generator g^. We 
do this by lifting gi separately to c_closurei and to c_closure2. Any such lifting 
suffices, so we can take (for example) 

III = {be){ad) 

and 

hi = {be) 

In the first case, the inclusion of the swap of a and d is neither precluded nor required; 
we could just as well have used In = {be). 

^- {^2i} ^ {^2i|c_closure2-Cn}' ^® Cannot simply compose and I21 to get the desired 
permutation on c_closurei U c_closure2 because the part of the permutations acting 
on the intersection c_closurei fi c_closure2 will have acted twice. In this case, we 
would get III ■ hi = {ad) which no longer captures our freedom to exchange b and e. 

We deal with this by restricting hi away from Cn and only then combining with In. In 
the example, restricting {be) away from Cn = {b, e} produces the trivial permutation 

l'21 = {)- 

9. Return (g_restrict]^(^^ , g_restrict2C|^ , {^ij •^2i})- compute the final answer 

from three sources: The combined lii-l2i that we have been working to construct, along 
with elements of g_restrict^ that fix every point in the closure of C2 and elements of 
g_restrict2 that fix every point in the closure of ci. These latter two sets obviously 
consist of stable extensions. An element of gjrestrict]^ point stabilizes the closure 
of C2 if and only if it point stabilizes the points that are in both the closure of ci (to 
which g_restrictj^ has been restricted) and the closure of C2; in other words, if and 
only if it point stabilizes Cn . 

In our example, we have 

g_restricti(^^ 
g_restrict2c^ 

{hi ■ l'2i} 

so that the final group returned is 

{{ad),{be){ad)) 
This group is identical to the "obvious" 

((ad),(5e)) 



= (M) 
= 1 

= {{he){ad)} 



461 



Dixon, Ginsberg, Hofer, Luks & Parkes 



We can swap either the (a, d) pair or the (b, e) pair, as we see fit. The first swap {ad) 
is sanctioned for the first "resolvent" (ci, Gi) = (aV b, {{ad), {be), {bf))) and does not 
mention any relevant variable in the second (c2, G2) = {cMb, {{be), {bg))). The second 
swap (fee) is sanctioned in both cases. 

Computational issues We conclude this section by discussing some of the computational 
issues that arise when we implement Procedure 4.1, including the complexity of the various 
operations required. 

G 

1. c_closurej ^ c-\ Efficient algorithms exist for computing the closure of a set under 
a group. The basic method is to use a fiood-fill like approach, adding and marking the 
result of acting on the set with a single generator, and recurring until no new points 
are added. 

2. g_restrictj <— Gi|c_ciosurei- A group can be restricted to a set that it stabilizes by 
restricting the generating permutations individually. 

3. Cn ^ c_closurei fl c_closure2. Set intersection is straightforward. 

4. g_stabj <— g_restrictj|(2;^j.. Set stabilizer is not straightforward, and is not known 
to be polynomial in the total size of the generators of the group being considered 
(Seress, 2003).^ The most effective implementations work with a coset decomposition 
as described in Section 3.2; in computing G^gy for some set S, a node can be pruned 
when it maps a point inside of S out of S or vice versa. Gap implements this (but 
see our comments at the end of Section 10.2). 

5. g-int <— g_stabj^|c^ fl g_stab2|cn- Group intersection is also not known to be poly- 
nomial in the total size of the generators; once again, a coset decomposition is used. 
Coset decompositions are constructed for each of the groups being combined, and the 
search spaces are pruned appropriately. Gap implements this as well. 

6- {di} {generators of g_int}. Groups axe typically represented in terms of their 
generators, so reconstructing a list of those generators is trivial. Even if the generators 
are not known, constructing a strong generating set is known to be polynomial in the 
number of generators constructed. 

7- {hi} ^ {^i, lifted to g_stab^}. Suppose that we have a group G acting on a set T, 
a subset V C T and a permutation h acting on V such that we know that h is the 
restriction to V of some g E G, so that h = g\v- To find such a g, wc first construct 
a stabilizer chain for G using an ordering that puts the elements of T — y first. Now 
we are basically looking foi a g & G such that the sifting procedure of Section 3.1 
produces h at the point that the points in T — F have all been fixed. We can find 
such a 5 in polynomial time by inverting the sifting procedure itself. 

8- {^2i} ^ {^2i|c_closure2-Cn}- ™ ^^^^ ^' restriction is still easy. 

7. Unlike the fe-transporter problem, which was mentioned at the beginning of Section 3.2 to be NP-hard, 
neither set stabilizer nor group intersection (see step 5) is likely to be NP-hard (Babai & Moran, 1988). 
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9. Return (g_restrictj^(^^,gjrestrict2(;^, {^li • ^2i})- Since groups are typically rep- 
resented by their generators, we need simply take the union of the generators for the 
three arguments. Point stabilizers (needed for the first two arguments) are straight- 
forward to compute using stabilizer chains. 

5. Unit Propagation and the (Ir)relevance Test 

As we have remarked, the other main computational requirement of an augmented satisfia- 
bility engine is the ability to solve the fc-transporter problem: Given an augmented clause 
(c, G) where c is once again viewed as a set of literals, and sets S and U of literals and an 
integer k, we want to find a g € G such that CiS = and jc^ n t/| < k, if such a g exists. 

5.1 A Warmup 

We begin with a somewhat simpler problem, assuming that U = so we are simply looking 

for a g such that D S = 0. 

We need the following definitions: 

Definition 5.1 Let H < G be groups. A transversal of H in G is any subset of G that 
contains one element of each coset of H. We will denote such a transversal by (G : H). 

Note that since H itself is one of the cosets, the transversal must contain a (unique) element 
of H. We will generally assume that the identity is this unique element. 

Definition 5.2 Suppose that G acts on a set $7 and that c C n. By cq we will denote the 
elements of c that are fixed by G. 

As the search proceeds, we will gradually fix more and more points of the clause in question. 
The notation of Definition 5.2 will let us refer easily to the points that have been fixed thus 



Procedure 5.3 Given groups H < G, an element t £ G, sets c and S, to find a group 
element g = map(G, H, t, c, S) with g G H and c^^ Ci S = 0: 



far. 



1 
2 
3 
4 
5 
6 
7 
8 
9 

10 



if 4 n 5 / 



then return FAILURE 
if c = Oh 



then return 1 

a <— an element ol c — ch 
for each t' in {H : Ha) 



do r <— map(G, Ha, ft, c, 

if r 7^ FAILURE 

then return rt' 



S) 



return FAILURE 
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This is essentially a codification of the example that was presented in Section 3.2. We 
terminate the search when the clause is fixed by the remaining group H, but have not 
yet included any analog to the lex-leader pruning that we discussed in Section 3.3. In the 
recursive call in line 7, we retain the original group, for which we will have use in subsequent 
versions of the procedure. 

A more precise description of the procedure would state explicitly that G acts on c and 
S, so that G < Sym(O) with c, 5 C fi. Here and elsewhere, we believe that these conditions 
are obvious from context and have elected not to clutter the procedural descriptions with 
them. 

Proposition 5.4 map(G, G, 1, c, S) returns an element g & G for which (IS = 0, if such 
an element exists, and returns FAILURE otherwise. 

Proof. The proof in the Appendix A shows the slightly stronger result that map(G, H, t, c, S) 
returns an element g & H for which c^* n iS = if such an clement exists. □ 

Given that the procedure terminates the search when all elements of c are stabilized 
by G but does not include lex-leader considerations, the search space examined in the 
example from Section 3.2 is the following, where we have replaced the variables a, b, c, d 
with xi,X2,X2,X4 to avoid confusion with our current use of c to represent the clause in 
question. 



It is still important to prune the node in the lower right, since for a larger problem, this node 
may be expanded into a significant search subtree. We discuss this pruning in Section 5.5. 

In the interests of clarity, let us go through the example explicitly. Recall that the clause 
c = xi V X2, G = Sym(a;i, X2, X3, X4) permutes the Xj arbitrarily, and that S = {xi, X2}. 

On the initial pass through the procedure, ch = 0; suppose that we select xi to stabilize 
first. Line 6 now selects the point to which xi should be mapped; if we select xi or X2, then 
xi itself will be mapped into S and the recursive call will fail on line 2. So suppose we pick 
X3 as the image of xi. 

Now Ch = {xi}, and we need to fix the image of another point; X2 is all that's left in 
the original clause c. As before, selecting xi or X2 as the image of X2 leads to failure. X3 
is already taken (it's the image of Xi), so we have to map X2 into X4. Now every element 
of c is fixed, and the next recursive call returns the trivial permutation on line 4. This is 
combined with (X2X4) on line 9 in the caller as we fix X4 as the image of X2. The original 
invocation then combines with (xixs) to produce the final answer of (x2X4)(xiX3). 




Sym(xi,X2,X3,X4) 



(X1X4) 



(a;2a;3) 
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5.2 The A;- Transporter Problem 

Extending the above algorithm to solve the A;-transporter problem is straightforward; in 

addition to requiring that PI S* = in line 2, wc also need to keep track of the number 
of points that have been (or will be) mapped into the set U and make sure that we won't 
be forced to exceed the limit k. 

To understand this, suppose that we are examining a node in the coset decomposition 
tree labeled with a permutation t, so that the node corresponds to permutations gt for 
various g in the subgroup being considered at this level. We want to ensure that there is 
some g for which |c^'* n C/| < k. Since c^* is assumed to avoid the set S completely, we can 
replace this with the slightly stronger 

\c<^^ n (S u u)\ < k (6) 

This is in turn equivalent to 

\(^ n{Suuf~'\<k (7) 

since the set in (7) is simply the result of operating on the set in (6) with the permutation 
t-\ 

We will present a variety of ways in which the bound of (7) can be approximated; for 
the moment, we simply introduce an auxiliary function overlap(i?, c, V), which we assume 
computes a lower bound on jc'^ n V\ for all h E H. Procedure 5.3 becomes: 

Procedure 5.5 Given groups H < G, an element t E G, sets c, S and U and an integer 
k, to find a group element g = transport(G, H, t, c, S, U, k) with gEH,c^^r\S = and 
|c5* nU\< k: 

1 if 4 n S 7^ 

2 then return failure 

3 if overlap(ii', c, {S U ?7)*"' ) > k 

4 then return FAILURE 

5 if c = ch 

6 then return 1 

7 a <— an element of c — ch 

8 for each t' in {H : Ha) 

9 do r <— transport(G, Hq,, ft, c, S, U, k) 

10 if. r ^ FAILURE 

11 then return rt' 

12 return failure 

For convenience, we will denote transport (G, G, 1, c, S*, U, k) by transport (G, c, 5, U, k). 
This is the "top level" function corresponding to the original invocation of Procedure 5.5. 

Proposition 5.6 Provided that r\V\ > overlap(if, c, F) > \ch n V\ for all h & H, 
transport (G, c, S, U, k) as computed by Procedure 5.5 returns an element g £ G for which 
n S = and \c^ r\U\ < k, if such an element exists, and returns FAILURE otherwise. 
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The second condition on overlap (that oveTlap{H,c,V) > \ch n V\) is needed to ensure 
that the procedure terminates on hne 4 once the overlap hmit is reached, rather than 
succeeding on hne 6. 

Procedure 5.5 is simplified significantly by the fact that we only need to return a single g 
with the desired properties, as opposed to all such g. In the examples arising in (ir)relevance 
calculations, a single answer suffices. But if we want to compute the unit consequences of 
a given literal, we need all of the unit instances of the clause in question. There are other 
considerations at work in this case, however, and we defer discussion of this topic until 
Section 6. 

Our initial version of overlap is: 

Procedure 5.7 Given a group H, and two sets c, V , to compute overlap(i?, c, V), a lower 
hound on the overlap of and V for any h E H: 

1 return |cij fl y| 

Having defined overlap, we may as well use it to replace the test in line 1 of Proce- 
dure 5.5 with a check to see if overlap(i7, c, 5* ) > 0, indicating that for any h G H, 
|c'*n<S'* I > or, equivalently, that c^^dS ^ . For the simple version of overlap defined 
above, there is no difference between the two procedures. But as overlap matures, this 
change will lead to additional pruning in some cases. 

5.3 Orbit Pruning 

There arc two general ways in which nodes can be pruned in the fc-transporter problem. 
Lexicographic pruning is a bit more difficult, so we defer it until Section 5.5. To understand 
the other, we begin with the following example. 

Consider the clause c = xi V 2:2 V X3 and the group G that permutes the variables 
{xi, X2, X3, X4, X5, xe} arbitrarily. If S" = {.xi, X2, X3, X4}, is there a g G G with (1 S = 07 

Clearly not; there isn't enough "room" because the image of c will be of size three, 
and there is no way that this 3-element set can avoid the 4-element set S in the 6-element 
universe {xi, X2, X3, X4, X5, xe}. 

We can do a bit better in many cases. Suppose that our group G is ((X1X4), (X2X5), (X3X6)) 
so that we can swap xi with X4 (or not), X2 with X5, or X3 with xq. Now ii S = {xi,X4}, 
can we find a g eG with H S = 07 

Once again, the answer is clearly no. The orbit of xi in G is {xi, X4} and since {xi, X4} C 
S, xi's image cannot avoid the set S. 

In the general case appearing in Procedure 5.5, consider the initial call, where t is the 
identity permutation. Given the group G, consider the orbits of the points in c. If there is 
any such orbit W for which |l^nc| > \W — S\, we can prune the search. The reason is that 
each of the points in n c must remain in W when acted on by any clement of G; that 
is what the definition of an orbit requires. But there are too many points in n c to stay 
away from S, so we will not manage to have Ci S = 0. 

What about the more general case, where t ^ 1 necessarily? For a fixed a in our clause c, 
we will construct the image a^*, acting on a first with g and then with t. We are interested 
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in whether a^* G or, equivalently, if G S* \ Now aP is necessarily in the same orbit 
as a, so we can prune if 

\W^c\> \W -S^''\ 
For similar reasons, we can also prune if 

|W"nc| > \w -u^~\ + k 

In fact, we can prune if 

|W^nc| > (SUC/)*"'| + A; 

because there still is not enough space to fit the image without either intersecting S or 
putting at least k points into U . 

We can do better still. As we have seen, for any particular orbit, the number of points 
that will eventually be mapped into U is at least 

|w^nc| - \w -{Su\jY^\ 

In some cases, this expression will be negative; the number of points that will be mapped 
into IJ is therefore at least 

max(|PFnc| - - (S U ?7)*"' |, 0) 

and we can prune any node for which 

^max(|M/nc| - IVF- (5UC/)*"'|,0) > A: (8) 
w 

where the sum is over the orbits of the group. 

It will be somewhat more convenient to rewrite this using the fact that 

\w ^c\^\w -c\ = \w\ = |iy n (5 u \^\w -{Sy^ uy~' \ 

so that (8) becomes 

max(|VF n{SU UY~' \-\W -c\,0) > k (9) 

w 

Incorporating this type of analysis into Procedure 5.7 gives: 

Procedure 5.8 Given a group H , and two sets c, V , to compute overlap(iJ, c, V), a lower 
hound on the overlap of and V for any h E H: 

1 m <— 

2 for each orbit W of H 

3 do m ^ m + max(|W^ny| - IW^ - c|,0) 

4 return m 

Proposition 5.9 Let H be a group and c, V sets acted on by H. Then for any h & H, 
\c^ n y| > overlap(i7, c, y) > \ch n V\ where overlap is computed by Procedure 5.8. 
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5.4 Block Pruning 

The pruning described in the previous section can be improved further. To see why, consider 
the following example, which might arise in solving an instance of the pigeonhole problem. 
We have the two cardinality constraints: 

X1 + X2 + X3 + X4 > 2 (10) 
X5 + X6 + X7 + XS > 2 (11) 

presumably saying that at least two of four pigeons are not in hole m and at least two 
are not in hole n for some m and n.^ Rewriting the individual cardinality constraints as 
augmented clauses produces 

{xi Vx2 Va;3,Sym(xi,X2,X3,X4)) 
{x5 V X6 V X7, Sym(x5, xq, X7, xg)) 

or, in terms of generators, 

{xi V a;2 V xs, {{X1X2), {X2X3X4))) (12) 
{X5 \/ XqW XT, {{X5X6), {xqX7Xs))) (13) 

What we would really like to do, however, is to capture the full symmetry in a single axiom. 

We can do this by realizing that we can obtain (13) from (12) by switching xi and X5, 
X2 and xq, and X3 and xj (in which case we want to switch X4 and xg as well). So we add 
the generator (xiX5){x2Xq){x3X7){x4Xs) to the overall group, and modify the permutations 
{X1X2) and {X2X2X4) (which generate Sym(xi, X2, X3, X4)) so that they permute X5,xq, X7, xs 
appropriately as well. The single augmented clause that we obtain is 

(xi V a;2 V X3, {ixiX2){x5XQ), {x2X3X4){xqX7X8), (a;ia;5)(x2X6)(x3X7)(a;4a;8))) (14) 

and it is not hard to see that this does indeed capture both (12) and (13). 

Now suppose that xi and X5 are false, and the other variables are unvalued. Does (14) 
have a unit instance? 

With regard to the pruning condition in the previous section, the group has a single 
orbit, and the condition (with i = 1) is 

|W^n(5U[/)| - |W"-c| > 1 (15) 

But 

W = {xi,X2,X3,X4,X5,Xe,X7,Xs} 

S = 

U = {x2,Xs,Xi,Xe,X7,Xs} 
C = {xi,X2,X3} 

8. In an actual pigeonhole instance, all of the variables would be negated. We have dropped the negations 
for convenience. 
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so that \Wr\iSuU)\=6,\W-c\ = 5 and (15) fails. 

But it should be possible to conclude immediately that there are no unit instances 
of (14). After all, there are no unit instances of (10) or (11) because only one variable in 
each clause has been set, and three unvalued variables remain. Equivalently, there is no 
unit instance of (12) because only one of {xi,X2,X3,X4} has been valued, and two need to 
be valued to make xi V X2 V X3 or another instance unit. Similarly, there is no unit instance 
of (13). What went wrong? 

What went wrong is that the pruning heuristic thinks that both xi and X5 can be 
mapped to the same clause instance, in which case it is indeed possible that the instance 
in question be unit. The heuristic doesn't realize that xi and X5 are in separate "blocks" 
under the action of the group in question. 

To formalize this, let us first make the following definition: 

Definition 5.10 Suppose G acts on a set T. We will say that G acts transitively on T if 
T is an orbit of G. 

Put somewhat differently, G acts transitively on T just in case for any x,y & T there is 
some g G G such that x^ = y. 

Definition 5.11 Suppose that a group G acts transitively on a set T. Then a block system 
for G is a partitioning of T into sets Bi, . . . , such that G permutes the Bi. 

In other words, for each g G G and each block Bi, Bf = Bj for some j. If j = i, then 
the image of Bi under g is Bi itself. If j ^ i, then the image of Bi under g is disjoint from 
Bi, since the blocks partition T. 

Every group acting transitively and nontrivially on a set T has at least two block systems: 

Definition 5.12 For a group G acting transitively on a set T, a block system Bi, . . . ,Bn 
will be called trivial if either n = 1 orn = \T\. 

In the former case, there is a single block consisting of the entire set T (which obviously 
is a block system). If n = |r|, each point is in its own block; since G permutes the points, 
it obviously permutes the blocks. 

Lemma 5.13 All of the blocks in a block system are of identical size. □ 

In the example we have been considering, Bi = {xi,X2, X3, X4} and B2 = {X5, xe, X7, xg} 
is also a block system for the action of the group on the set T = {xi, X2, X3, X4, X5, xg, X7, xg}. 
And while it is conceivable that a clause image is unit within the overall set T, it is impossible 
for it to have fewer than two unvalued literals within each particular block. Instead of 
looking at the overall expression 

|i^n(5u;7)| - |P^-c| > 1 (16) 

we can work with individual blocks. 
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The clause xi Vx2 Vxs is in a single block in this block system, and will therefore remain 
in a single block after being acted on with any g G G. If the clause winds up in block Bi, 
then the condition (16) can be replaced with 

\Bin{S[JU)\ -\Bi-c\>l 

or, in this case, 

\Bin{SUU)\ >\Bi-c\ + 1 = 2 

so that we can prune if there are more than two unvalued literals in the block in question. 

After all, if there are three or more unvalued literals, there must be at least two in the 
clause instance being considered, and it cannot be unit. 

Of course, we don't know exactly which block will eventually contain the image of c, 
but we can still prune if 

mm{\Bin{SUU)\) >2 

since in this case any target block will generate a prune. And in the example that we have 
been considering, 

\Bin{Suu)\ = 3 

for each block in the block system. 

Generalizing this idea is straightforward. For notational convenience, wc introduce: 

Definition 5.14 Let T = {ri,...,T^.} be sets, and suppose that Ti-^, . . . ,Ti^ are the n 
elements of T of smallest size. Then we will denote J2j=i l ^i<n '^i- 

Proposition 5.15 Let G he a group acting transitively on a set T, and let c,V C T. 
Suppose also that {Bi, . . . , Bk} is a block system for G and that c H Bi ^ for n of the 
blocks in {Bi, . . . , 5^}. Then if b is the size of an individual block B^ and g € G, 

\(^nv\> \c\ + {Bi nv)-nb (17) 



Proposition 5.16 If the block system is trivial (in either sense), (17) is equivalent to 

|c^nF| > |rnF| - |T-c| (18) 



Proposition 5.17 Let {Bi, . . . , Bf^} be a block system for a group G acting transitively on 
a set T. Then (17) is never weaker than (18). 

In any event, we have shown that we can strengthen Procedure 5.8 to: 

Procedure 5.18 Given a group H, and two sets c,V , to compute overla.p{H,c,V), a 
lower bound on the overlap of cf^ and V for any h G H: 
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1 m <— 

2 for each orbit W of H 

3 do {Bi, . . . , Bk} ^ a block system for W under H 

4 n = \{i\B, n c ^ 0}\ 

5 m^m + max(|cnVF| + S^^° {Bi nV) - n\Bi\,0) 

6 return m 

Which block system should we use in line 3 of the procedure? There seems to be no 
general best answer to this question, although we have seen from Proposition 5.17 that any 
block system is better than one of the trivial ones. In practice, the best choice appears to be 
a minimal block system (i.e., one with blocks of the smallest size) for which c is contained 
within a single block. Now Procedure 5.18 becomes: 

Procedure 5.19 Given a group H, and two sets c,V , to compute oveTla.p(H,c,V), a 
lower bound on the overlap of c'' and V for any h G H: 

1 m ^ 

2 for each orbit W oi H 

3 do {Si, . . . , -e— a minimal block system for W under H for which 

c n C for some i 

4 m ^ m + max(|cn VF| +min(Bi n F) - |5i|,0) 

5 return m 

Proposition 5.20 Let H he a group and c,V sets acted on by H. Then for any h G H, 
|c'*nF| > overlap(i?, c, y) > |cif nF| where overlap is computed by Procedure 5.19. □ 

Note that the block system being used depends only on the group H and the original 
clause c. This means that in an implementation it is possible to compute these block 
systems once and then use them even if there are changes in the sets S and U of satisfied 
and unvalued literals respectively. 

Gap includes algorithms for finding minimal block systems for which a given set of 
elements (called a "seed" in gap) is contained within a single block. The basic idea is to 
form an initial block "system" where the points in the seed are in one block and each point 
outside of the seed is in a block of its own. The algorithm then repeatedly runs through 
the generators of the group, seeing if any generator g maps elements x,y in one block to 

and that are in different blocks. If this happens, the blocks containing and are 
merged. This continues Tintil every generator respects the candidate block system, at which 
point the procedure is complete.^ 

5.5 Lexicographic Pruning 

Block pruning will not help us with the example at the end of Section 5.1. The final space 
being searched is: 

9. A faster implementation makes use of the procedure designed for testing equivalence of finite au- 
tomata (Aho, Hopcroft, & UUman, 1974, chapter 4) and takes 0(snA(n)) time, where s is the size 
of the generating set and A(n) is the inverse Ackerman function. 
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As we have remarked, the first leaf node (where a is mapped to c and b to d) is essentially 
identical to the second (where a is mapped to d and b to c). It is important not to expand 
both since more complicated examples may involve a substantial amount of search below 
the nodes that are leaf nodes in the above figure. 

This is the sort of situation in which lexicographic pruning can generally be applied. 
We want to identify the two leaf nodes as equivalent in some way, and then expand only 
the lexicographically least member of each equivalence class. For any particular node n, 
we need a computationally effective way of determining if n is the lexicographically least 
member of its equivalence class. 

We begin by identifying conditions under which two nodes are equivalent. To understand 
this, recall that we are interested in the image of the clause c under a particular group 
clement g. That means that we don't care about where any particular literal / is mapped, 
because we care only about the image of the entire clause c. We also don't care about the 
image of any literal that isn't in c. 

Prom a formal point of view, we begin by extending our set stabilizer notation somewhat: 

Definition 5.21 For a permutation group G and sets Si, ... ,8^ acted on by G, by G^g^ g^^ 
we will mean that subgroup of G that simultaneously set stabilizes each of the Si; equiva- 
lently, G{Si^,,_^Su} = ^iG{Si}- 

In computing a multiset stabilizer 6*15^ 5^} = njG{5.}, we need not compute the indi- 
vidual set stabilizers and then take their intersection. Instead, recall that the set stabilizers 
themselves are computed using coset decomposition; if any stabilized point is moved either 
into or out of the set in question, the given node can be pruned in the set stabilizer compu- 
tation. It is straightforward to modify the set stabilizer algorithm so that if any stabilized 
point is moved into or out of any of the Si, the node in question is pruned. This allows 
G{Si,...,Sk} to computed in a single traversal of G's decomposition tree. 

Now suppose that j is a permutation in G that stabilizes the set c. If satisfies the 
conditions of the transporter problem, then so will c^^ . After all, acting with j first doesn't 
affect the set corresponding to c, and the image of the clause under jg is therefore identical 
to its image under g. This means that two permutations g and h are "equivalent" \i h = jg 
for some j G Gi^^} 1 the set stabilizer of c in G. Alternatively, the permutation g is equivalent 
to any clement of the coset Jg, where J = G{c}- 

On the other hand, suppose that A; is a permutation that simultaneously stabilizes the 
sets S and U of satisfied and unvalued literals respectively. Now it is possible to show that 
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if we operate with k after operating successfully with g, we also don't impact the question 
of whether or not is a solution to the transporter problem. The upshot of this is the 
following: 

Definition 5.22 Let G be a group with J < G and K < G, and let g G G. Then the double 
coset JgK is the set of all elements of G of the form jgk for j & J and k E K. 

Proposition 5.23 Let G be a group of permutations, and c a set acted on by G. Suppose 
also that S and U are sets acted on by G. Then for any instance L of the k-transporter 
problem and any g & G, either every element of G^cjQGis,:/} ^•^ ^ solution of L, or none is. 

To understand why this is important, imagine that we prune the overall search tree so 
that the only permutations g remaining are ones that are minimal in their double cosets 
JgK, where J = G^^} K = G^s,u} ^ above. Will this impact the solubility of any 
instance of the /c-transporter problem? 

It will not. If a particular instance has no solutions, pruning the tree obviously will not 
introduce any. If the particular instance has a solution g, then every element of JgK is 
also a solution, so specifically the minimal element of JgK is a solution, and this minimal 
element will not be pruned under our assumptions. 

We see, then, that we can prune any node n for which wc can show that every permu- 
tation g underneath n is not minimal in its double coset JgK. To state precise conditions 
under which this lets us prune the node n, suppose that we have some coset decomposition 
of a group G, and that Xj is the point fixed at depth j of the tree. Now if n is a node at 
depth i in the tree, we know that n corresponds to a coset Ht of G, where H stabilizes each 
Xj for j < i. We will denote the image of xj under t by zj. If there is no G Ht that is 
minimal in its double coset JgK for J = G^^} ^-nd K = as in Proposition 5.23, then 

the node n corresponding to Ht can be pruned. 

J K 

Lemma 5.24 (Leon, 1991) Lfxi G Xj^^' "''^''~^ for some k < I and Zk > min(z^ 2i.^2. --.^fc-i 
then no g E Ht is the first element of JgK. □ 

Lemma 5.25 (reported by Seress, 2003) Lets be the length of the orbit x^'^^""''^^~^ . If 
zi is among the last s — 1 elements of its orbit in Gzi,22,...,2i_iJ then no g ^ Ht is the first 
element of JgK . □ 

Both of these results give conditions under which a node in the coset decomposition can 
be pruned when searching for a solution to an instance of the fc-transporter problem. Let 
us consider an example of each. 

We begin with Lemma 5.24. If we return to our example from the end of Section 5.1, 
we have G = Sym{a,b,c,d), c = {a,b} = S, and U = 0. Thus J = K = G{a,&} = 
Sym(a, 6) x Sym(c, d) = {{ab),{cd)). 

Consider the node that we have repeatedly remarked can be pruned at depth 1, where 
we fix the image of a to be d. In this case, xi = a and zi = d. If we take k = I hi the 
statement of the lemma, xi G ^^^^' - 'n-i gjj^gg ^ Jxi,...,xi-i- Thus we can prune if 

K 

zi > mm{zi '^i-'^^.-.^i-i^ 
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Further restricting to Z = 1 gives us 

zi > min(zf ) (19) 

In this example, z\ = d, so = {c, d} and (19) holds (assuming that d > c in our ordering). 
The node can be pruned, and we finally get the reduced search space: 




as desired. 

This node can be pruned by Lemma 5.25 as well. The conditions of the lemma require 
that we take s to be the length of the orbit of a under J (since / = 1 here), so s = \{a, b}\ = 2. 
Thus the image of a cannot be among the last 2—1 = 1 points in a's orbit under G. Since 
the orbit of a under G is {a,b,c,d}, we can once again prune this node. (The previous 
node, which maps a to c, cannot be pruned, of course.) 

This particular example is simple. The nodes being examined are at depth one, and 
there is significant overlap in the groups in question. While the same node is pruned by 
either lemma here, the lemmas prune different nodes in more complex cases. Note also that 
the groups J = G^^.} <^iid K = G^s.u} can be computed at the root of the tree, and the 
group J is independent of the sets S and U and can therefore be cached with the augmented 
clause (c, G) . 

Lemmas 5.24 and 5.25 are both well known results in the computational group theory 
community. We will also have use of the following: 

Lemma 5.26 Suppose that t is the permutation labeling some node Ht of a coset decom- 
position tree at depth k, so that x\ = zi for i < k and H = Gxi,...,xk residual group at 

this level. Let M be the set of points moved by Gxi,...,xk- ^ow if Zi > min ^ 
for any i < k, then no g E Ht is the first element of JgK. 

As an example, consider the cardinality constraint 

xi-\ \-Xm>n 

corresponding to the augmented clause (c, G) with 

C = V • • • V Xm-n+\ 

and G = Sym(X), where X is the set of all of the Xj. 
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Suppose that we fix the images of the Xi in order, and that we are considering a node 
where the image of xi is fixed to zi and the image of X2 is fixed to Z2, with Z2 < zi. Now 
J = G{c} = Sym(a;i, . . . ,Xm-n+i) x Sym(a;m_„+2, • • ■,Xm), so taking i = 1 and = 2 in 
Lemma 5.26 gives us Jxk+i,...,xm — Sym(xi,X2) since we need to fix all of the Xj after X2- 
But j.^'^fc+i' -''^'"* = {zi,Z2}, and since zi is not the smallest element of this set, this is 
enough to prune this node. See the proof of Proposition 6.9 for another example. 

We will refer to Lemmas 5.24-5.26 as the pruning lemmas. 

Adding lexicographic pruning to our fe-transporter procedure gives us: 

Procedure 5.27 Given groups H < G, an element t ^ G, sets c, S and U and an integer 
k, to find a group element g = transport (G, i/, t, c, 5, [/, fc) with g & H , c^'^ (1 S = and 
|c»* nU\ < k: 

1 if overlap(if,c,S'*"') > 

2 then return FAILURE 

3 if overlap(ii', c, {S U C/)*"' ) > k 

4 then return FAILURE 

5 if c = ch 

6 then return 1 

7 if a pruning lemma can be applied 

8 then return FAILURE 

9 a ^ an element of c — ch 

10 for each t' in {H : Ha) 

11 do r <— transport(G, Ha, ft, c, S, U, k) 

12 if r 7^ FAILURE 

13 then return rt' 

14 return failure 

Note that the test in line 7 requires access to the groups J and K, and therefore to the 
original group G with which the procedure was called. This is why we retain a copy of this 
group in the recursive call on line 11. 

It might seem that we have brought too much mathematical power to bear on the 
A;-transporter problem specifically, but we disagree; recall Figure 1, repeated from zapI. 
High-performance satisfiability engines, running on difficult problems, spend in excess of 
90% of their CPU time in unit propagation, which we have seen to be an instance of the 
/^-transporter problem. Effort spent on improving the efficiency of Procedure 5.27 (and 
its predecessors) can be expected to lead to substantial performance improvements in any 
practical application. See also Figure 8 and the experimental results in Section 9.2. 

We do, however, note that while lexicographic pruning is important, it is also expensive. 
This is why wc defer it to line 7 of Procedure 5.27. An earlier lexicographic prune would 
be independent of the S and U sets, but the count-based pruning is so much faster that we 
defer the lexicographic check to the extent possible. 
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Figure 1: Fraction of CPU time spent in unit propagation 



6. Unit Propagation 

Procedure 5.27 was designed around the need to find a single permutation g E G satisfying 
the conditions of the fc-transporter problem, and this technically suffices for ZAP's needs. 
In unit propagation, however, it is useful to collect all of the unit consequences of an 
augmented clause (c, G) at once, as opposed to collecting them via repeated traversals of 
G's coset decomposition tree. 

As we work through the consequences of this observation, it will help to have an example 
that illustrates the points we are going to be making. To this end, we will consider the 
augmented clause 

(a V 6 V e, Sym(a, 6, c, d) x Sym(e, /)) (20) 

in a situation where a, b and c are false and d, e and / are unvalued. The group in (20) 
allows arbitrary permutations of {a,b,c,d} and of {e, /}, so that both e and / are unit 
consequences of instances of the given augmented clause. 

Note that we cannot simply collect all the group elements associated with each unit 
instance, since many group elements may correspond to the same clause instance or to 
the same unit literal fl U. In the above example, both ( ) and (ah) correspond to the 
identical clause aV bV e, and both this clause and a\/ cV e lead to the same conclusion e 
given the current partial assignment. 

Our goal will therefore be to compute not a set of permutations, but the associated set 
of all unit conclusions: 

Definition 6.1 Let {c,G) be an augmented clause, and P a partial assignment. The unit 
consequences of (c, G) given P is the set of all literals I such that there is a g E G with 
n S(P) = and fl U{P) = {I}. For a fixed literal w, the unit tt;-consequences of (c, G) 
given P is the set of all literals I such that there is a g & G with w G , c^ H S{P) = and 
c9nU{P) = {I}. 



476 



ZAP 3: Implementation 



The unit w-consequences involve an additional requirement that the literal w appear in the 
clause instance in question. This will be useful when we discuss watched literals in the next 
section. 

In our example, the unit consequences of (20) are e and /. The unit c-consequences are 
the same, although we can no longer use the identity permutation ( ), since the needed c is 
not in the base instance of (20). There are no unit d-consequences of (20). 

If the partial assignment is to be annotated, we will need not just the unit consequences, 
but the reasons as well: 

Definition 6.2 Let X be a set of pairs {l,g), where g G and I is a literal for each pair. 
If X = {{h,gi), ... , {ln,gn)}, we will denote {h, ...,ln} by L{X). 

If (c, G) is an augmented clause and P a partial assignment, X will be called an anno- 
tated set of unit consequences of (c, G) given P if: 

1. c3 n S{P) = and c^ n U{P) = {1} for every {l,g) G X and 

2. L{X) is the set of unit consequences of (c, G) given P. 

Once again returning to our example, (e, ( )) is an annotated consequence, as is (e, (abc)). 
So are (/, (e/)) and (/, {abc)(ef)). The set {(e, {abc}), (/, (e/))} is an annotated set of unit 
consequences, as is {{e, (abc)), (/, (e/)), (/, (a6c)(e/))}. But {(/, (e/)), (/, (a6c)(e/))} is not 
an annotated set of unit consequences, since e does not appear as a consequence. 

We now modify our fc-transporter procedure so that we search the entire tree while 
accumulating an annotated set of unit consequences. We need to be careful, however, 
because the pruning lemmas may prune a node because it includes a permutation g that is 
not minimal in its double coset JgK. This is a problem because g and the minimal element 
of JgK may correspond to distinct unit consequences. In our running example, it may well 
be that none of the minimal elements of JgK supports / as a conclusion; if we accumulate 
only all of the minimal elements, we will not get a full set of unit consequences as a result. 

Given a successful g that is minimal in its double coset, reconstructing the relevant 
orbits under J and K is easy, so we begin by introducing some definitions that cater to this. 
The basic idea is that we want the minimal g to "entail", in some sense, the conclusions 
that can be drawn from other permutations in the double coset JgK. 

In our example, the subgroup of G that simultaneously stabilizes S and U is G^g u^ = 
Sym(a, 6, c) x Sym(e, /). Once we have a permutation gi that allows us to conclude e, we 
can operate with gi ■ (e/) G giG^s,U} to conclude / as well. We formalize this as follows: 

Definition 6.3 Given a group G, we will say that {li,gi) G-entails {l2,g2), to be denoted 
{h,gi) \=G {h,g2), if there is some g & G such that I2 = If and g2 = gig. We will say that a 
set of pairs X G-entails a set of pairs Y , writing X \=g Y , if every pair in Y is G-entailed 
by some pair in X. 

A skeletal set of unit consequences of (c, G) given P is a,ny set X of unit consequences 
that G^s{P),U{P)}- entails an annotated set of unit consequences of {c,G) given P. 

In our running example, we have li = e and g = (e/) in the first paragraph, allowing 
(for example) (e, ()) to G|5^(7}-entail (/, (e/)). Thus we see that {(e, ())} is a skeletal set 
of unit consequences of (20) given the partial assignment {-■a, -16, -ic}. 
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Lemma 6.4 If X \=g Y, then L{Y) C L(X)^. 

Proof. Every pair in Y is of the form {If, gig) for {h,gi) € X and g ^ G. Thus the 
associated Uteral is in L(X)'^. □ 

To construct a full set of unit consequences from a skeletal set, we repeatedly find new 
unit conclusions until no more are possible: 

Procedure 6.5 Given a set X of pairs {l,g) and a group G, to compute complete(X, G), 
where X \=g complete(X, G) and L(complete(X, G)) = L{X)'^ : 

1 Y ^0 

2 for each {Ig) e X 

3 do for each I' e - L{Y) 

4 do select h EG such that = I' 

5 Y ^YU{l',gh) 

6 return Y 

Proposition 6.6 X \=g complete(X, G) and L(complete(X, G)) = L{X)'^ . 

Now we can apply the pruning lemmas as the search proceeds, eventually returning a 
skeletal set of unit consequences for the clause in question. In addition, if there is a unit 
instance that is in fact unsatisfiable, we should return a failure marker of some sort. We 
handle this by returning two values. The first indicates whether or not a contradiction was 
found, and the second is the skeletal set of unit consequences. 

Procedure 6.7 Given groups H < G, an element t & G, sets c, S and U , to find 
Traiisport(G, H, t, c, 6*, U), a skeletal set of unit consequences for (c, G) given P: 



1 if overlap(F, c, S"* ') > 

2 then return (false, 0) 

3 if overlap(/f, c, {S U C/)*"' ) > 1 

4 then return (false, 0) 

5 if c = ch 

6 then if c^nU = 

7 then return (true, 1) 

8 else return (false, (c* n ?7, 1)) 

9 if a pruning lemma can be applied 

10 then return (false, 0) 

11 Y ^0 

12 a <— an element of c — cu 

13 for each t' in {H : Ha) 

14 do {u, V) ^ Transport(G, H^, ft, c, S, U) 

15 if n = true 

16 then return (true, Vt') 

17 else Y ^YVJ{{l,gt')\{l,g) eV) 



18 return (false, F) 
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Proposition 6.8 Assume that \c r\V\ > overlap(f/', c, V) > \ch n V\ for all h G H, and 
let Traiisport(G, c, S, U) be computed by Procedure 6. 7. Then if there is a g £ G such that 
c^ f] S = c^ r\U = 0, Transport(G, c, S, U) = (true,g') for such a g. If there is no such 
g, Transport(G, c, 5, J7) = (false, Z), where Z is a skeletal set of unit consequences for 
(c, G) given P. 

As an application of the pruning lemmas, we have: 

Proposition 6.9 Let (c, G) be an augmented clause corresponding to a cardinality con- 
straint. Then for any sets S and U , Procedure 6. 7 will expand at most a linear number of 
nodes in finding a skeletal set of unit consequences of (c, G). 

In the original formulation of cardinality constraints (as in ZAPl), determining if a 
particular constraint is unit (and finding the implied literals if so) takes time linear in 
the length of the constraint, since it involves a simple walk along the constraint itself. It 
therefore seems appropriate for a linear number of nodes to be expanded in this case. 

7. Watched Literals 

There is one pruning technique that we have not yet considered, and that is the possibility 
of finding an analog in our setting to Zhang and Stickel's (2000) watched literal idea. 

To understand the basic idea, suppose that we are checking to see if the clause a V 6 V c 
is unit in a situation where a and h are unvalued. It follows that the clause cannot be unit, 
independent of the value assigned to c. 

At this point, we can watch the literals a and 6; as long as they remain unvalued, the 
clause cannot be unit. In practice, the data structures representing a and b include a pointer 
to the clause in question, and the unit test needs only be performed for clauses pointed to 
by literals that arc changing value. 

As we continue to discuss these ideas, it will be useful to distinguish among three different 
types of clauses: those that are satisfied given the current partial assignment, those that 
are unit, and those that are neither: 

Definition 7.1 Let G be a clause, and P a (possibly annotated) partial assignment. We 
will say that C is settled by P if it is either satisfied or unit; otherwise it is unsettled. 

We now have: 

Definition 7.2 Let C be a clause, and P a (possibly annotated) partial assignment. If G 
is unsettled by P, then a watching set for G under P is any set of literals W such that 
\W ^G^U(P)\ > 1. 

In other words, W contains at least two unvalued literals in C if C is unsettled by the 

current partial assignment. 

What about if G is satisfied or unit? What should the watching set be in this case? 

In some sense, it doesn't matter. Assuming that we notice when a clause changes from 
unsettled to unit (so that we can either unit propagate or detect a potential contradiction), 
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settled clauses are uninteresting from this perspective, since they can never generate a 
second unit propagation. So we can watch a settled clause or not, as we see fit. 

In another sense, however, it does matter. One of the properties that we would like the 
watching sets to have is that they remain valid during a backtrack. That means that if 
a settled clause C becomes unsettled during a backtrack, there must be two watched and 
unvalued variables after that backtrack. 

In order to discuss backtracking in a formal way, we introduce: 

Definition 7.3 Let P he a partial assignment for a set T of (possibly augmented) clauses. 
We will say that P is T-closed if no clause C € T has a unit consequence given P. A 
T -closure of P is any minimal, sound and T-closed extension of P, and will he denoted hy 
either Pt or hy simply PifTis clear from context. 

The definition of closure makes sense because the intersection of two closed partial 
assignments is closed as well. To compute the closure, we simply add unit consequences 
one at a time until no more are available. Note that there is still some ambiguity; if there 
is more than one unit consequence that can be added at some point, we can add the unit 
consequences in any order. 

Definition 7.4 Let P = {li, . . . ,ln) be a partial assignment. A subassignment of P is any 
initial subsequence {li,...,lj) for j < n. We will say that a subassignment P' of P is a 
backtrack point for P if either P' = P or P' = P'. We will denote by P_ the largest 
backtrack point for P that is not P itself. 

If C is a clause, we will say that the P-retraction of C, to be denoted P^c, is the largest 
backtrack point for P for which C is unsettled. 

Note that we require a backtrack to the point that C is unsettled, as opposed to simply 
unsatisfied. If P is closed, there is no difference because Definition 7.4 does not permit a 
backtrack to a point where C is unit. But if C is unit under P, we can only "retract" C 
by reverting to a point before C became unit. Otherwise, C will simply be reasserted when 
unit propagation computes P. 

Since P itself is a backtrack point for P, we immediately have: 

Lemma 7.5 If C is unsettled by P, then P^c = P- ° 

As an example, suppose that we have the following annotated partial assignment P: 



literal 


reason 


a 


true 


-6 


true 


c 


V 5 V c 


d 


true 


e 


6 V V e 



If our clause C is 5 V e V /, the P-retraction of C is (a, c). Removing e is sufficient to 
make C unsettled, but (a, c, d) is not closed and is therefore not a legal backtrack point. 
If & V e is in our theory, the retraction is in fact (a) because (a, —^h, c) is not a backtrack 
point because the unit conclusion e has not been drawn. 

We can now generalize Definition 7.2 to include settled clauses: 
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Definition 7.6 Let C be a clause, and P an annotated partial assignment. A watching set 
for C under P is any set of literals W such that n C n U{P^c)\ > 1- 

In other words, W will contain at least two unvalued literals in C if we replace P with the 
P-retraction of C. As discussed earlier, this is the first point to which wc could backtrack so 
that C was no longer satisfied or unit. Continuing our earlier example, {e, /} is a watching 
set for 5 V e V /, and {-i6, e} is a watching set for -i6 V e. A watching set for 6 V e is {b, e}; 
recall that the definition forces us to backtrack all the way to (a). 

Lemma 7.7 If W is a watching set for C under P, then so is any superset ofW. □ 

In order for watching sets to be useful, of course, we must maintain them as the search 
proceeds. Ideally, this maintenance would involve modifying the watching sets as infre- 
quently as possible, so that we could adjust them only as required when variables take new 
values, and not during backtracking at all. Recall the example at the beginning of this 
section, where a and b are unvalued and constitute a watching set for the clause a\/b\/ c. If 
a or b becomes satisfied, we need do nothing since the clause is now satisfied and {a, b} is 
still a watching set. Note that if a (for example) becomes satisfied, we can't remove b from 
the watching set, since we would then need to replace it if we backtrack to the point that 
a is unvalued once again. Leaving b in the watching set is required to satisfy Definition 7.6 
and needed to ensure that the sets need not be adjusted after a backtrack. 

On the other hand, if a (for example) becomes unsatisfied, we need to check the clause 
to see whether or not it has become unit. If the clause is unit, then b should be set to true 
by unit propagation, so no maintenance is required. If the clause is unsettled, then c must 
be unvalued, so we can replace a with c in the set of literals watching the clause. Finally, 
if the clause is already satisfied, then a will be unvalued in the P-retraction of the clause 
and the watching set need not be modified. 

In general, we have: 

Proposition 7.8 Suppose that W is a watching set for C under P and I is a literal. Then: 

1. W is a watching set for C under any backtrack point for P. 

2. If C is settled by {P,l), then W is a watching set for C under {P,l). 

3. If C is settled by {P,l), and \{W - {-^l}) n C n U{P^c)\ > 1, then W - {^1} is a 
watching set for C under {P, I) . 

4. If -il n C, then W is a watching set for C under {P, I). 

The proposition tells us how to modify the watching sets as the search proceeds. No 
modification is required during a backtrack (claim 1). No modification is required if the 
clause is satisfied or unit (claim 2), and we can also remove a newly valued literal from a 
watching set if enough other unvalued variables are present (claim 3). No modification is 
required unless we add the negation of an already watched literal (claim 4). 

In sum, modification to the watching sets is only required when wc add the negation of a 
watched literal to our partial assignment and the watched clause is not settled; in this case, 
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we have to add one of the remaining unvahicd literals to the watching set. In addition, we 
can remove literals from the watching set if enough unvalued literals are already in it. Since 
this last possibility is not used in zChaff or other ground systems, here is an example of 
it. 

Suppose that we are, as usual, watching a and 6 in a V 6 V c. At some point, a becomes 
true. We can either leave the watching set alone by virtue of condition 4, or we can extend 
the watching set to include c (extending a watching set is always admissible, by virtue of 
Lemma 7.7), and then remove a from the watching set. This change is unneeded in a ground 
prover, but will be useful in the augmented version 7.10 of the proposition below. 

To lift these ideas to an augmented setting, we begin by modifying Definition 7.6 in the 
obvious way to get: 

Definition 7.9 Let (c, G) he an augmented clause, and P an annotated partial assignment. 
A watching set for (c, G) under P is any set of literals W that is a watching set for every 
instance c^ of (c, G) under P. 

This leads to the following augmented analog of Proposition 7.8. (Although there are 
four clauses in Proposition 7.8 and four in the following proposition, there is no clause-for- 
clause correspondence between the two results.) 

Proposition 7.10 Suppose that W is a watching set for {c,G) under P and I is a literal. 
Then: 

1. W is a watching set for (c, G) under any backtrack point for P. 

2. If -il n (P , then W is a watching set for (c, G) under {P, I). 

3. If \{W U y) n c» n U{{P,l))\ > l for every g e G such that c^ is unsettled by {P,l), 
then W UV is a watching set for (c, G) under {P, I) . 

4. If\{WLlV)nc3n[U{{P,l))U{S{P)-S{P-))]\ > l for every ge G, then W VJV - {-^1} 
is a watching set for {c,G) under {P,l). 

As an example, suppose that we return to the augmented clause wc considered in the 
previous section, (aV6Ve, Sym(a, b, c, d) x Sym(e, /)). Suppose that we are initially watching 
a, b, c and d, and that e is false, and now imagine that a becomes false as well. 

We need to augment W so that |VF fl n U{P)\ > 1 for every unsettled instance of 
(c, G) that contains a. Those instances are aV b\/ f, a\/ cV f and aV dV f. Since b, c and 
d are already in 14^, we need to add /. If / had been in the watching set but not b, c and 
d, we would have had to add those three points instead. 

In this case, since the clause has a unit instance (a V 6 V e, for example), we cannot 
remove a from the watching set. The reason is that if we do so and later backtrack past 
this point, we are in danger of watching only b for this unsatisfied clause. 

Suppose, however, that e had been unvalued when a became false. Now we would have 
to add both e and / to the watching set and we would be free to remove a. This is sanctioned 
by Proposition 7.10, since (c, G) has no settled instances and if fl S{P) = for all 5 G G 
as well, the conditions of claims three and four are equivalent. 
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What if e, instead of being false or unvalued, had been true? Now wc add / to the 
watching set, but can we remove a from the new watching set {a, 6, c, d, /}? We cannot: 
the instance a V 6 V e would have only one watched literal if we did. 

In some cases, however, we can remove the literal that just became false from the 
watching set. We can surely do so if every clause instance still has two unvalued literals in 
the watching set. This would correspond to the requirement that 

\{Wi^v)f^(fi (^u{{P,l))\ > 1 

for every instance. The stronger condition in claim four of the proposition allows us to do 
slightly better in cases where the satisfied literal in the clause became satisfied sufficiently 
recently that we know that any backtrack will unvalue it. 

The fourth conclusion in Proposition 7.10 is essential to the effective functioning of our 
overall prover; when we replace a watched literal / that has become false with a new and 
unvalued literal, it is important that we stop watching the original watched literal I. It 
is the last claim in the proposition that allows us to do this in most (although not all) 
practical cases. Without this fourth conclusion, the watching sets would only get larger as 
the search proceeded. Eventually, every literal in every clause would be watched and the 
computational power of the idea would be lost. 

We can now use the watching sets to reduce the number of clauses that must be ex- 
amined in line 1 of the unit propagation procedure 2.7. Each augmented clause needs to 
be associated with a watching set that is initialized and updated as sanctioned by Propo- 
sition 7.10. 

Initialization is straightforward; for any clause (c, G) with c of length at least two, we 
need to define an associated watching set W with the property that \W Pi > 1 for every 
g ^ G. In fact, we take W to be simply c*^, the union of all of the instances c^, and 
rely on subsequent unit tests to gradually reduce the size of W. (Once again, using the 
fourth clause of Proposition 7.10.) The challenge is to modify Procedure 6.7 in a way that 
facilitates the maintenance of the watching sets. 

Before doing this, let us understand in a bit more detail how the watching sets are used 
in searching for unit instances of a particular augmented clause. Consider the augmented 
clause corresponding to the quantified clause 

Vxy . [q{x) A r(y) —>■ s] 

If Q is the set of instances of q{x) and R the set of instances of r{y), this becomes the 
augmented clause 

(^g(O) V ^r(O) V s, Sym(Q) x Sym(i?)) (21) 

where q(0) and r(0) are elements of Q and R respectively. 

Now suppose that r{y) is true for all y, but q{x) is unvalued, as is s, so that the clause 
(21) has no unit instances. Suppose also that we search for unit instances of (21) by first 
stabilizing the image of r and then of q (s is stabilized by the group Sjm(Q) x Sym(i?) 
itself). If there are four possible bindings for y (which we will denote 0,1,2,3) and three 
for X (0, 1, 2), the search space looks like this: 
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(9ogi) (9o9i) (9o9i) (go9i) 



In the interests of conserving space, we have written qi instead of q{i) and similarly for rj. 

Each of the leaf nodes fails because both s and the relevant instance of q{x) are unvalued, 
and we now construct a new watching set for the entire clause (21) that watches s and all 
of the q{x). 

Note that this causes us to lose significant amounts of information regarding portions 
of the search space that need not be reexamined. In this example, the responsible literals 
at each leaf node are as follows: 




qi,s qi,s qi,s qi,s 



When we simply accumulate these literals at the root of the search tree, we conclude that 
the reason for the failure is the watching set {qo,Qi,Q2, s}- If any of these watched literals 
changes value, we potentially have to reexamine the entire search tree. 

We can address this by changing the order of variable stabilization, replacing the search 
space depicted above with the following one: 




(rori) (ror2) (rori) (ror2) (rori) (ror2) 
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Now only the center node needs reexpansion if the value of qi changes, since it is only 
at this node that qi appears. The search space becomes simply: 

Sym(Q) X Sym(7?) 




(ron) {rori) 

which is what one would expect if qi changes value. 

The upshot of this is that while we collect a new watching set for the original augmented 

clause corresponding to (21), we also need to modify our unit propagation procedure so that 
we first stabilize points that can be mapped to a specific watched literal that has become 
unsatisfied. 

To see how to keep the watching set updated, consider Proposition 7.10. When searching 
for the unit instances of an augmented clause (c, G) , we need to compute some set W such 
that \Wnc^riU (P) I > 1 for every unsettled instance of (c, G) that contains a fixed literal 
w. How are we to do this? 

The solution lies in Procedure 6.7, which describes our search for unit instances. If all 
of the remaining clause instances below some particular search node are determined to be 
nonunit in the test on line 3, instead of simply recognizing that every instance under this 
node is nonunit, we need to be able to identify a set of unvalued literals that meets every 
unsettled instance of at least twice. We modify the overlap procedure 5.19 to become: 

Procedure 7.11 Given a group H , two sets c, V acted on by H, and a bound k > 0, to 
compute overla.-p{H, c,V,k), a collection of elements of V sufficient to guarantee that for 
any h E H, \c^ r\V\ > k, or if no such collection exists: 

1 m <— 

2 W ^0 

3 for each orbit X of H 

4 do {-Bi, . . . , -Bfc} <— a minimal block system for W under H for which 

cHW C Bi for some i 

5 A=\cnX\ + mm{BinV) -\Bi\ 

6 if A > 

7 then m <— m + A 

8 w ^wu{xnv) 

9 if m > A; 

10 then return W 

11 return 
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Proposition 7.12 Procedure 7.11 returns a nonem,pty set W if and only if Procedure 5.19 
returns a value in excess of k. In this case, \c^ r\W\ > k for every h E H. 

We are finally in a position to replace Procedure 6.7 with a version that uses watched 
literals: 

Procedure 7.13 Given groups H < G, an element t e G, sets c, S and U, and op- 
tionally a watched element w, to find Traiisport(G, iJ, i, c, S", ?7, lu), a skeletal set of unit 
w-consequences for (c, G) given P: 

1 if ■iw is supplied and ^ ^ 

2 then return (false, 0, 0) 

3 V ^ overlap(ii', c, 5*"' , 0) 

4 if y / 

5 then return (false, 0, 0) 

6 y ^ overlap(ii", c, (5 U i7)*"\ 1) 

7 if / 

8 then return (false, 0, F*) 

9 if c = Cij 

10 then if c* n ?7 = 

11 then return (true, 1,0) 

12 else return (false, (c* nf/,l),0) 

13 if a pruning lemma can be applied 

14 then return (false, 0, 0) 

15 a ^ an element oi c — ch- If i/; is supplied and w ^ c^jj, choose a so that u;* G . 

16 y ^ 

17 W ^@ 

18 for each t' in {H : Ha) 

19 do {u, y, X) ^ Traiisport(G, Ha, ft, c, S, U, w) 

20 if It = true 

21 then return (true, Vt', 0) 

22 else W^WUX 

23 Y^YU{{l,gt')\{l,g)eV} 

24 return (false, Y, W) 

In the application of the pruning lemmas in line 13, wc need to use the restricted group 
G{s,u,{w}}j so that we do not prune a group clement g with it; € on the basis of another 
group element jgk for which w ^ c'^'^, since jgk might itself then be pruned on line 2. 

Proposition 7.14 Suppose that overlap(i7, c, fc) is computed using Procedure 7.11, or 
otherwise satisfies the conclusion of Proposition 7.12. Then if there is a g € G such that 
w e c^ and c^ H S = c^ HU = 0, Traiisport(G, c, 5, t/;) as computed by Procedure 7.13 
returns (true, g, 0) for such a g. If there is no such g, Procedure 7.13 returns (false, Z, W), 
where Z is a skeletal set of unit w-consequences of (c, Q) given P, and W is such that 
\y[r(^{s,u,{w)) n c'* n J7| > 1 for every h € H such that w € c'^ and c'^ is unsettled by P. 
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Note that the pruning lemmas are applied relatively late in the procedure (line 13) even 
though a successful application prunes the space without increasing the size of the watching 
set. It might seem that the pruning lemmas should be applied earlier. 

This appears not to be the case. As discussed at the end of Section 5, the pruning lemmas 
are relatively complex to check; moving the test earlier (to precede line 6, presumably) 
actually slows the unit propagation procedure by a factor of approximately two, primarily 
due to the need to compute the set stabilizer G^s,U} even in cases where a simple counting 
argument suffices. In addition, the absolute impact on the watching sets can be expected 
to be quite small. 

To understand why, suppose that we are executing the procedure for an instance where 
it will eventually fail. Now if n is a node that can be pruned either by a counting argument 
(with the new contribution Wn to the set of watched literals) or by a lexicographic argument 
using another node n', then since the node n' will eventually fail, it will contribute its own 
watching set Wn' to the eventually returned value. While it is possible that Wn 7^ Wn' 
(different elements can be selected by the overlap function in line 6, for example), we 
expect that in the vast majority of cases we will have Wn = Wn' and the non-lexicographic 
prune will have no impact on the eventual watching set computed. 

Proposition 7.14 implies that the watching set returned by Procedure 7.13 can be used 
to update the watching set as in the third claim of Proposition 7.10. For the fourth claim, 
where we hope to remove -il from the new watching set, we need to check to see if 

n n [U{{P, I)) u {S{P) - 5(p_))]| > i 

for each g E G, where W is the new watching set. This can be determined by a single call 
to transport; if there is no 5 G G for which 

n [w^ n iU{{P, I)) u iS{P) - 5(p_)))]| < i (22) 

we can remove -^l from W. In some cases, we can save the call to transport by exploiting 
the fact (as shown in the proof of Proposition 7.10) that (22) cannot be satisfied if {P,l) 
has a unit consequence. 

We are finally in a position to describe watched literals in an augmented setting. As a 
start, we have: 

Definition 7.15 A watched augmented clause is a pair ((c, G), W) where (c, G) is an aug- 
mented clause and W is a watching set for (c, G) . 

Procedure 7.16 (Unit propagation) To compute Unit-Propagate(C, P, L) where C 
is a set of watched augmented clauses, P is an annotated partial assignment, and L is a set 
of pairs {l,r) of literals I and reasons r: 
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1 while L^0 



2 do {l,r) <— an element of L 

3 L^L-{l,r) 

4 P^{P,{l,r)) 

5 for each ((c,G),VF) G C 

6 do ii ^leW 

7 then (r, F) ^ Transport(G, c, 5(P), ?7(P), ^Z) 

8 if r = true 

9 then Zj the literal in with the highest index in P 

10 return (true, resolve((c^, G), Cj)) 

11 H' <- coinplete(ii',G{5(p)^[/(p)^{;}}) 

12 for each /t e iJ' 

13 do 2; <— the literal in c'^ unassigned by P 

14 if there is no (z, r') in L 

15 then L 4- L U (z, c'') 

16 TF ^ U n F^{s(p),c/(p),{0} ) 

17 [/ ^ [/(P) U (5(P) - S(P_)) 

18 if ii" = A transport(G, c,0,W D U, 1, ^Z) = FAILURE 

19 then W ^ W - {^1} 



20 return (false, P) 

On line 18, we invoke a version of the transport function that accepts as an addi- 
tional argument a literal that is required to be included in the clause instance being sought. 
This modification is similar to the introduction of such a literal w in the Transport proce- 
dure 7.13. 

Proposition 7.17 Let P be an annotated partial assignment, and C a set of watched aug- 
mented clauses, where for every ((c, G), W) G C, W is a watching set for (c, G) under P. 
Let L be the set of unit consequences of clauses in C . If Unit-Propagate(C, P, L) returns 
(true,c) for an augmented clause c, then c is a nogood for P, and any modified watching 
sets in C are still watching sets under P. Otherwise, the value returned is (false, P) and 
the watching sets in C will all have been replaced with watching sets under P. 

Procedure 7.16 can be modified and incorporated in a fairly obvious way into Proce- 
dure 2.8, where the literal most recently added to the partial assignment is added to L and 
thereby passed into the unit propagation procedure. 

8. Resolution Revisited 

There is one additional theoretical point that we need to discuss before turning our attention 
to experimental matters. 

The goal in augmented resolution is to produce many (if not all) of the resolvents 
sanctioned by instances of the augmented clauses being resolved. As wc showed in ZAP2, 
however, it is not always possible to produce all such resolvents. Here is another example 
of that phenomenon. 
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Suppose that we are resolving the two clauses 



{ay c, (ab)) 



(23) 



and 



(6 V -.c, {ab)) 



(24) 



The result is 



,10 



(a V b, {ab)) 



(25) 



But consider the example. The instances of (23) are aVc and 6Vc; those of (24) are 6V-ic 
and a V -ic. Surely it is better to have the resolvent be (a, {ah)) instead of (25). In general, 
we never want to conclude (c, G) when it is possible to conclude (c', G) for c' C c where the 
set inclusion is proper. The resolvent with c' is properly stronger than that with c. 

There is an additional consideration as well. Suppose that we are resolving two aug- 
mented clauses, and can choose instances of the resolving clauses so that the resolvent is 
(a V c, G) or {bV c, G), where a and b are literals and the two possible resolvents are distinct 
because {ab) G. Which should we select? 

We know of no general answer, but a reasonable heuristic is to make the choice based on 
the order in which literals were added to the current partial assignment. Assuming that the 
resolvent is a nogood, presumably a and b are both false for the current partial assignment 
P. We should select the resolvent that allows a larger backjump; in this case, the resolvent 
involving the literal that was added to P first. 

All of these considerations have no direct analog in a conventional Boolean satisfiability 
engine. For any particular literal I, the resolvent of the reasons for I and for -iZ is just that; 
there is no flexibility possible. 

Definition 8.1 Let {a,G) and {(3,H) be two augmented clauses resolving on a literal I, so 
that I G a and -^l G /3. An l-resolvent for (a, G) and (/?, H) will he any clause obtained by 
resolving and for g G G and h e H such that I G and G 

Note that the group Z in the resolvent clause {Tesolve{a^ , j3^), Z) is independent of 
the resolvent selected, so we can focus our attention strictly on the syntactic properties of 
the resolvent. 

We next formalize the fact that the partial assignment P induces a natural lexicographic 
ordering on the set of nogoods for a given theory: 

Definition 8.2 Let P be a partial assignment, and c a ground clause. If I is the literal in 
c whose negation has maximal index in P, we will say that the falsification depth of c is the 
position in P of the literal -'I . The falsification depth is zero if there is no such literal in c; 
in any event, the falsification depth of c will be denoted by (y^ . 

If ci and C2 are two nogoods, we will say that c\ is falsified earlier than ci by P , writing 
c\ <p C2, if either c\^ < a^^ , or = c^^ and ci — -^I^jp <p C2 — '^^cl/- 

10. The result can be obtained by direct computation or by applying the resolution stability property dis- 
cussed in ZAP2, since the groups are identical. 

11. A weak analog is present in zChaff, which can replace one nogood n with another n' if n' leads to a 
greater backjump than n does. This functionality is part of the zChaff code but does not appear to 
have been documented. 
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As an example, suppose that P is {a,b,c,d,e). The falsification depth of -la V -'C is 
three, since c is the third variable assigned in P. The falsification depth of V is four. 
Thus ->a V -ic <p -16 V -id; we would rather learn -^a V -ic because it allows us to backjump 
to c instead of to d. Similarly -la V -ic V -le <p -16 V -id V -le; once the common element 
-le is eliminated, we would still rather backtrack to c than to d. In general, our goal when 
resolving two augmented clauses is to select a resolvent that is minimal under <p. Note 
that we have: 

Lemma 8.3 If ci C C2 are two nogoods for P, then ci <p 02- 

Procedure 8.4 Suppose we are given two augmented clauses {a,G) and {P,H) that are 
unit for a partial assignment P = (Zi, . . . , with I E a and ->/ G /3. To find a <p-minimal 
l-resolvent of{a,G) and {P,H): 

1 U ^ {I, -iZ} > literals you can't avoid 

2 <— a 

3 Pf^P 

5 while p > 



6 do g ^ transport(G, a, {^Ip, ■ ■ ■ , -^In} — U, 0, 0, /) 

7 transport(i7, /3, {^Ip, ... , - U, 0, 0, -•/) 

8 if g = FAILURE y h = FAILURE 

9 then U ^UU {^Ip} 

10 else af ^ 

11 Pf ^ P^ 

12 p^[l^afl}Pf)-U]'P 



13 return resolve(a/, /?/) 

The basic idea is that we gradually force the two clause instances away from the end of 
the partial assignment; as we back up, we keep track of literals that are unavoidable because 
an associated call to transport failed. The unavoidable literals are accumulated in the set 
U above, and as we continue to call the transporter function, we have no objection if one or 
both of the clause instances includes elements of U . At each point, we rcfocus our attention 
on the deepest variable that is not yet known to be either avoidable or unavoidable; when 
we reach the root of the partial assignment, we return the instances found. 

Here is an example. Suppose that P = {a, b, c, d, e) as before, and that (a, G) has 
instances ^c\J ^d\J I and -la V -le V L The second clause (/?, H) has the single instance 

If we resolve the <p-minimal instances of the two augmented clauses, we will resolve 

-■c V V Z with ^6 V -le V -iZ to get -16 V -ic V -id V -le. We do better if we resolve -la V -le V Z 
and -16 V -le V -iZ instead to get V -16 V -le. The literals -16 and -le appear in any case, 
but we're better off with -la than with -ic V -id. 

Suppose that we follow this example through the procedure, with U initially set to 
{Z,-iZ} and (say) a and therefore aj set to -icV-idVZ. Both P and Pf are set to -i6V -leV -iZ, 
since this is the only instance of (/?, H). The initial value for p is five, since the last literal 
\n aL\ P — U = {-16, -ic, -id, -le} is -le. 
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We now try to find a way to avoid liaving -le appear in the final resolvent. We do this 
by looking for an instance of (a, G) that includes I (the literal on which we're resolving) 
and avoids -le (and any subsequent literal, but there aren't any). Such an instance is given 
by a itself. But there is no instance of (/3, H) that avoids -le, so the call in line 7 fails. We 
therefore add -le to U and leave the clauses a/ and (3f unchanged. We decrement p to four, 
since -le is no longer in (aj U /3j) — U. 

On the next pass through the loop, we are looking for clause instances that avoid 
{-id, -le} — U = {^d}. We know that we'll be forced to include -le in the final result, so we 
don't worry about it. All we hope to do at this point is to exclude -id. 

Here, we are successful in finding such instances. The existing instance f3 suffices, as 
does the other instance -la V -le V / of (a, G). This becomes the new a/ and p gets reduced 
to two, since we now have (q/ U Pf) — U = {-la, -16}. 

The next pass through the loop tries to avoid -ib while continuing to avoid -ic and -id 
(which we know we can avoid because the current af and /3j do so). This turns out to be 
impossible, so -16 is added to U and p is decremented to one. Avoiding -lo is impossible as 
well, so p is decremented to zero and the procedure correctly returns -la V -16 V -le. 

Proposition 8.5 Suppose that we are given two augmented clauses (a, G) and {(3, H) such 
that a and j3 are unit for a partial assignment P, with I € a and ^l £ p. Then the value 
returned by Procedure 8.4 is a <p-minimal l-resolvent of (a, G) and (/3, H). 

The procedure can be implemented somewhat more efficiently than described above; if 
a/, for example, already satisfies the condition implicit in line 6, there is no need to reinvoke 
the transport function for g. 

More important than this relatively slender improvement, however, is the fact that 
resolution now involves repeated calls to the transport function. In general, Boolean 
satisfiability engines need not worry about the time used by the resolution function, since 
unit propagation dominates the running time. A naive implementation of Procedure 8.4, 
however, involves more calls to transport than does the unit propagation procedure, so 
that resolution comes to dominate ZAP's overall runtime. 

To correct this, remember the point of Procedure 8.4. The procedure is not needed for 
correctness; it is only needed to find improved resolution instances. The amount of time 
spent looking for such instances should be less than the computational savings achieved by 
having them. Put slightly differently, there is no requirement that we produce a resolvent 
that is absolutely minimal under the <p ordering. A resolvent that is nearly minimal will 
suffice, especially if producing the truly minimal instance involves large computational cost. 

We achieve this goal by working with a modified transport function on lines 6 and 7 
of Procedure 8.4. Instead of expanding the coset decomposition tree completely, a limited 
number of nodes are examined. Zap's current implementation prunes the transporter search 
after 100 nodes have been examined; in solving the pigeonhole problem, for example, this 
turns out to be sufficient to ensure that the resulting proof length is the same as it would 
have been had strictly <p-minimal resolvents been found. We also modify the pruning 
computation, pruning with K = Gsuu instead of the more difficult to compute G^s,U}- 
Since Gsuu < 5 [/} (stabilizing every element of a set surely stabilizes the set itself) , this 
approximation saves time but reduces the amount of possible pruning. This is appropriate 
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Figure 2: CPU time for a resolution in the pigeonhole problem 



given the artificially reduced size of the overall search tree and the need to produce an 
answer quickly. 



9. Experimental Results: Components 

We are finally in a position to describe the experimental performance of the algorithms that 
we have presented. As remarked in the introduction, we begin by describing the performance 
of zap's algorithmic components, its resolution and unit propagation algorithms. Perfor- 
mance results for a complete inference tool build using our ideas are in the next section. 
All experiments were performed on a 2GHz Pentium-M with 1GB of main memory. 

9.1 Resolution 

We have implemented the resolution procedure described in Section 4, and the results for 
the pigeonhole problem are shown in Figure 2. This particular example involves resolving 
the two basic axioms in a pigeonhole problem containing n pigeons and n — 1 holes: 

{pn V • • • Vpi,„„i,G) 
{-'Pii V -ipi2,G) 

The first axiom says that pigeon 1 must be in some hole; the second, that the first two 
pigeons cannot both be in the first hole. The group G corresponds to a global symmetry 
group where pigeons and holes can be interchanged freely. 
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The resolvent of the above two axioms can in fact be computed without any group- 
theoretic computation at all, using the result from ZAP2 that the group of stable extensions 
of (ci,G) and (c2,G) is always a superset of the group G. The algorithm in Section 4 for 
computing augmented resolvents does not include a check to see if the groups are identical, 
but the implementation does include such a check. This test was disabled to produce the 
data in Figure 2. 

We plot the observed time (in seconds) for the resolution as a function of the number 
of pigeons involved, with time plotted on a log scale. Memory usage was typically approx- 
imately 5MB; the CPU usage was dominated by the need to compute stabilizer chains for 
the groups in question. The algorithms used for doing so take time 0{d^) where d is the 
size of the domain on which the group is operating (Purst, Hopcroft, & Luks, 1980; Knuth, 
1991). In this case, the symmetries over pigeons and over holes can be stabilized indepen- 
dently and we therefore expect the stabilizer chain computation to take time O(n^), where 
n is the number of pigeons. We fit the data to the curve ax*, with the best fit occurring for 
b « 4.6. This is consistent with the stabilizer chain computation dominating the runtime. 

If we reinsert the check to see if the groups are the same, the running times are reduced 
uniformly by approximately 35%. Testing group equality involves checking to see if each 
generator of Gi is a member of G2 and vice versa, and therefore still involves computing 
stabilizer chains for the groups in question. Once again, the need to compute the stabilizer 
chains dominates the computation. 

9.2 Unit Propagation 

In Figure 3 we give data showing the average time needed for a unit test in the pigeonhole 
problem. These are the "naturally occurring" unit tests that arise in a run of the prover 
on the problem in question. The memory used by the program remained far less than the 
1GB available; as an example, maximum usage was approximately 20MB for 13 pigeons. 

Since the unit test is NP-completc, it is customary to give both mean and median 
running times; we present only means in Figure 3 because the mean running times appear 
to be growing polynomially (compare the two lines of best fit in the figure), and because 
the medians appear to be only modestly smaller than the means. This is shown in Figure 4, 
where it appears that the ratio of the mean to median running times is growing only linearly 
with problem size. 

The earlier figure 3 also shows the average CPU time for "failed" tests (where the clause 
in question has no unit instances) and "successful" tests (where unit instances exist); as 
can be seen, failed unit tests generally complete far more quickly than their successful 
counterparts of similar size as the various pruning heuristics come into play. In both cases, 
however, the scaling continues to appear to be polynomial in the problem size. 

12. Accurately measuring peak memory usage is difficult because the group operations regularly allocate 
and free relatively large blocks of memory. We measured the usage by simply starting a system monitor 

and observing it, which was not practical for problem instances that took extended amounts of time to 
complete. This is the reason that we report memory usage only approximately, and only for one problem 
instance. 
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Figure 3: CPU time for a unit test in the pigeonhole problem 



10. Experimental Results: ZAP 

We conclude our discussion of ZAP's experimental performance with results on problem 
instances in their entirety, as opposed to the performance of individual algorithmic com- 
ponents. Before presenting the results, however, let us describe both the domains being 
considered and our expectations with regard to performance of both ZAP and of existing 
systems in these areas. 

We will be examining performance in three domains: 

1. In a pigeonhole problem, the goal is to show that you cannot put n + 1 pigeons into n 
holes if each pigeon is to get its own hole. 

2. In a parity problem, the goal is to show that X^ie/ ^« Sie J cannot be odd if the 
sets I and J are equal (Tseitin, 1970). 

3. In a clique- coloring problem, the goal is to show that a map containing an m-clique 
cannot be colored in n colors if n < m. 

The reasons that we have chosen these particular problem classes are as follows: 

1. They all should be easy. It's "obvious" that you can't put n + 1 pigeons into n holes, 
and that Yliei ^« "t" X^ie J even if each Xj appears exactly twice. It's also obvious 
that you can't color a graph containing an m-clique user fewer than m colors. 

In this last case especially, note that we are solving an easy problem. It is not the 
case that we are trying to color a specific graph containing an m-clique; the goal is 
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Figure 4: Mean vs. median CPU time for a unit test in the pigeonhole problem 



to show that any graph containing an m-clique anywhere cannot be colored. This is 
very different from graph coloring generally. 

Put somewhat differently, all of the problems that we will be examining are in P. 
Given suitable representations, they should all be easy. 

2. All of the problems are known to be exponentially difficult for resolution-based meth- 
ods. This was shown for pigeonhole problems by Haken (1985) and for parity problems 
by Tseitin (1970). Clique-coloring problems are known to be exponentially difficult 
not only for resolution, but for linear programming methods as well (Pudlak, 1997). 
In fact, we know of no implemented system that scales polynomially on this class of 
problem. 

3. Finally, all of these problems involve structure that can be captured in a group-based 
setting. 

The data that we will present compares ZAP's performance to that of zChaff; Sec- 
tion 10.4 discusses the performance of some other Boolean tools on the problem classes 
that we will be discussing. We chose zChaff for comparison partly because it has been 
discussed throughout this series of papers, and partly because it appears to have the best 
overall performance on the three problem classes that we will be considering. (Once again, 
sec Section 10.4 for additional details.) 

ZAP expectations Before proceeding, let us point out that on a theoretical basis, it is 
known that short group-based proofs exist for all of these problems. We showed in zap 2 that 
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group-based pigeonhole proofs can be expected to be short, and also that all parity problems 
have short group-based proofs that mimic Gaussian elimination. We also showed that short 
group-based proofs existed for clique coloring, although the proof was fairly intricate. Our 
goal here is to determine whether an implementation of our ideas can discover these short 
proofs in practice, or whether the control of group-based inference will require additional 
theoretical ideas that we do not yet understand. 

Please understand that our goal at this point is not to test ZAP on standard NP-complete 
search problems in Boolean form, such as graph coloring or quasigroup completion prob- 
lems (Gomes & Selman, 1997). Doing so involves a significant effort in ensuring that ZAP's 
constant factors and data structures are comparable to those of other systems; while pre- 
liminary indications are that this will be possible with only modest impact on performance 
(approximately a factor of two), the work is not yet complete and will be reported elsewhere. 



10.1 Pigeonhole Results 

Figure 5 shows running times for both ZAP and for zChaff on pigeonhole instances. Fig- 
ure 6 repeats the zap data, also including best exponential and polynomial fits for the time 
spent. The overall running time appears to be polynomial, varying as approximately n^'^ 
where n is the number of pigeons. In very rough terms, there is a factor of O(n^) needed for 
the stabilizer chain constructions. If we branch only on positive literals, we know (see zap2) 
that there will be 0(n) resolutions needed to solve the problem, and each resolution will 
lead to O(n^) unit propagations. The total time can thus be expected to be approximately 
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Figure 6: ZAP scaling for pigeonhole instances 



0{n^), assuming that each unit propagation involves only stabilizer chain computations and 
no actual search. Our observed performance is close to this theoretical value. 

In practice, ZAP branches not on positive literals, but on negative ones. The reason is 
that the negative literals appear in far more clauses than the positive ones {0{n) clauses 
for each negative literal as opposed to a single clause for a positive literal), and the usual 
branching heuristic in the Boolean satisfiability community initially assigns to a variable 
the value that satisfies as many clauses as possible. 

The number of nodes expanded by ZAP in solving any particular instance of the pi- 
geonhole problem is shown in Figure 7, which also presents similar data for zChaff. The 
number of nodes expanded by ZAP is in fact exactly — 3n + 1; curiously, this is also the 
depth of the zChaff search for the next smaller instance with n — 1 pigeons. We do not 
know if the small size of the pigeonhole proofs found by ZAP is the result of the effectiveness 
of the use of <p-optimal resolvents, or if some fundamental argument can be made that all 
ZAP proofs of the pigeonhole problem will be short. 

Before moving on to parity problems, allow us to comment on the importance of the 
various algorithmic tcchniqiies that we have described. Wc recognize that many of the 
algorithms we have presented arc quite involved, and it is important to demonstrate that 
the associated algorithmic complexity leads to legitimate computational gains. 

Figure 8 shows the time needed to solve pigeonhole instances if we either abandon the 
pruning lemmas or avoid the search for <p-optimal resolvents. As should be clear from the 
data, both of these techniques are essential to obtaining the overall performance exhibited 
by the system. 
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If wc abandon the search for < p-optimal resolvents, the proof lengths increase signifi- 
cantly but appear to remain polynomial in n. The length increase in the learned axioms 
leads to increased running times for unit propagation, and this appears to be the primary 
reason for the performance degradation in the figure. The overall running times scale ex- 
ponentially. 

Abandoning the pruning lemmas also leads to exponential running times. This is to be 
expected at some level; there are still exponentially many learned ground axioms and if we 
cannot prune the search for unit instances, exponential behavior is to be expected. 

There were other ways that we could have reduced ZAP's algorithmic complexity as 
well. We could, for example, have removed watched literals and the computational ma- 
chinery needed to maintain them. As it turns out, this change has virtually no impact on 
zap's pigeonhole performance because the prover's behavior here is typically backtrack-free 
(Dixon et al., 2004a). In general, however, watched literals can be expected to play as 
important a role in ZAP as they do in any other DPLL-style prover. Our overall focus in this 
series of papers has been to show that group-based augmentations could be implemented 
without sacrificing the ability to use any of the recent techniques that have made Boolean 
satisfiability engines so effective in practice, and watched literals can certainly be numbered 
amongst those techniques. 

We also did not evaluate the possibility of not learning augmented clauses at all, perhaps 
learning instead only their ground versions. This would avoid the need to implement Pro- 
cedure 4.1, but would also avoid all of the computational gains to which ZAP theoretically 
has access. It is only by learning augmented clauses that theoretical reductions in proof 
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olutions use the original base instances of the clauses being resolved, as opposed 
to searching for and resolving < p-optimal instances. 
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size can be obtained; otherwise, the proof itself would necessarily be unchanged from any 
other DPLL-style approach. 

10.2 Tseitin Results 

The next problem class for which we present experimental data is one due to Tseitin (1970) 
that was shown by Urquhart (1987) to require resolution proofs of exponential length. Each 
problem is based on a graph G. We associate a Boolean variable with each edge in G, and 
every vertex v in G has an associated charge of or 1 that is equal to the sum mod 2 of the 
variables adjacent to v. The charge of the entire graph G is the sum mod 2 of the charges 
of its vertices. If we require that a connected graph G have a charge of one, then the set 
of constraints associated with its vertices is unsatisfiable (Tseitin, 1970). Here is the graph 
for a problem of size four, together with its associated constraints: 
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a+b+c=l 
d+e+a=0 
f+b+d=0 
c + e + f = 

In the language of ZAP (see Appendix B), we have 

a b c y.2= 1 ; 
d e a y.2= ; 
f b d 7.2= ; 
c e f 7.2= ; 

The axiom set is unsatisfiable because adding all of the above axioms gives us 

2a + 26 + 2c + 2d + 2e + 2/ = 1 

These problems are known to be exponentially difficult for resolution-based methods (Urquhart, 
1987). 

Times to solution for zap and zChaff are shown in Figure 9. ZChaff is clearly scaling 
exponentially; the best fit for the ZAP times is 0.00043n'^'^°^°^^"'), where n is the problem 
size. 

Figure 10 shows the number of nodes expanded by the two systems. The number 
of search nodes expanded by zap appears to be growing polynomially with the size of the 
problem (0(n^-^), give or take), in keeping with a result from ZAP2 showing that ZAP proofs 
of polynomial length always exist for parity problems. As with the pigeonhole instances, 
we see that short proofs exist not only in theory, but apparently in practice as well. 

Given that a polynomial number of nodes are expanded but a super-polynomial amount 
of time is consumed, it seems likely that the unit propagation procedure is the culprit, 
taking a super-polynomial amount of time per unit propagation. As shown in Figure 11, 
this is in fact the case. But the unit test should be easy here - after all, the groups are all 
simply those that flip an even number of the variables in question. If we want to know if an 
augmented clause has a unit instance, we find the unvalued variables it contains. If more 
than one, the clause is not unit. If exactly one, the clause is always unit the variable must 
be valued so as the make the parity of the sum take the desired value. So there seems to 
be no reason for the unit tests to be scaling as 'n}°sin) _ 



500 



ZAP 3: Implementation 



1e+06 



10000 



100 



zap • 

zchaff X 



0.01 



X,' 



1e-04 



1e-06 



10 



15 



20 



Figure 9: CPU time for Tseitin instances, ZAP and zChaff. ZChaff is scaling exponen- 
tially; ZAP is scaling as 0(n^-^'°s(n)). 



The n'°s('*) scaling itself appears to be a consequence of the multiset stabilizer computa- 
tion that underlies the /c-transportcr pruning. Here, too, the scaling should be polynomial, 
since we can show that polytime (0(n^)) methods exist for set stabilizer for the groups 
in question. The general methods implemented by GAP and by zap do not exploit the 
Abelian nature of the parity groups, however, and the scaling is as shown. An obvious ex- 
tension of the existing implementation would include more efficient set stabilizer algorithms 
for these groups. 

10.3 Clique Coloring 

The final problem class for which we present experimental data is that of clique coloring. 
This class of problems is related to the pigeonhole problem but far more difficult. 

As mentioned previously, the domain is that of graph coloring, where two nodes con- 
nected by an edge must be assigned different colors. If the graph is a clique of size m, then 
it is obvious that the graph cannot be colored in m — 1 colors. This is equivalent to an 
instance of the pigeonhole problem. But in the clique coloring problem, we are not told 

13. The argument can be made either from the fact that the groups are AbeUan, or from the fact that the 
group orbits are all of size two, and the set stabilizer problem can thus be converted to one of linear 

algebra over Z2. 
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Figure 10: Nodes expanded in the Tseitin problems. ZChaff is scaling exponentially; ZAP 
is scaling polynomially as 0(n^'^). 



that the graph is a clique of size m, only that it contains a clique of size m. The fact that 
we do not know the exact location of the clique widens the search considerably. 

We know of no (other) automated proof system that scales polynomially on problems 
in this class; both resolution and linear programming methods inevitably scale exponen- 
tially (Pudlak, 1997). We showed in ZAP2 that ZAP could produce polynomial-length proofs 
in theory, but no suggestions were made that such proofs would be easy to find in practice. 

Before we present the details of ZAP's performance on this problem class, let us reiterate 
our observation that clique-coloring problems should not be thought of as unsatisfiable 
instances of graph-coloring problems generally. A particular instance of this problem class 
does not describe a specific graph that needs to be colored; it says only that the graph 
contains an m-clique and needs to be colored in m — 1 colors. 

An axiomatization of this problem is as follows. We use e^j to describe the graph, Cij to 
describe the coloring of the graph, and Qij to describe the embedding of the clique into the 
graph. The graph has m nodes, the clique is of size n+1, and there are n colors available. 

Cii V • • • V Ci„ for i = 1, . . . ,m (26) 

ga V ■ ■ ■ V for i = 1, . . . , n -Fl (27) 

-iCij V -iCii V -^Cji for 1 < i < j < m, I = 1, . . . ,n (28) 

-iQij V -iqkj foT 1 < i < k < n + 1, j = 1, . . . ,m (29) 
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Figure 11: CPU time for a unit test in the Tseitin problems. Zap is scaling as approximately 

0(„log(n))_ 



eij V 



''Qki V -'Qij for 1 < i < j < m, l<kj^l<n + l 



(30) 



Here e^j means that there is an edge between graph nodes i and j, Cij means that graph 
node i is colored with the jth. color, and Qij means that the ith element of the clique is 
mapped to graph node j. Thus the first axiom (26) says that every graph node has a color. 
(27) says that every element of the clique appears in the graph. (28) says that two of the m 
nodes in the graph cannot be the same color (of the n colors available) if they are connected 
by an edge. (29) says that no two elements of the clique map to the same node in the graph. 
Finally, (30) says that the clique is indeed a clique - no two clique elements can map to 
disconnected nodes in the graph. 

The encoding passed to ZAP was group-based, as follows: 

SORT color 2 ; 
SORT node 4 ; 
SORT clique 3 ; 

PREDICATE edge( node node ) ; 

PREDICATE color ( node color ) ; 
PREDICATE clique ( clique node ) ; 



GROUP COLOR < 

(( color [1 1] color [1 2]) 
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( color [2 1] color [2 2]) 
( color [3 1] color [3 2]) 
( color [4 1] color [4 2])) 

> ; 

GROUP CLIQUE < 

(( clique [1 1] clique [2 1]) 

( clique [1 2] clique [2 2]) 

( clique [1 3] clique [2 3]) 

( clique [1 4] clique [2 4])) 

(( clique [2 1] clique [3 1]) 

( clique [2 2] clique [3 2]) 

( clique [2 3] clique [3 3]) 

( clique [2 4] clique [3 4])) 

> ; 

GROUP MODES < 

(( edged 3] edge [2 3]) 

( edged 4] edge [2 4]) 

( color [1 1] color [2 1]) 

( color [1 2] color [2 2]) 

( clique [1 1] clique [1 2]) 

( clique [2 1] clique [2 2]) 

( clique [3 1] clique [3 2])) 
(( color [2 1] color [3 1] color [4 1]) 

( color [2 2] color [3 2] color [4 2]) 

( edged 2] edge[l 3] edged 4]) 

( edge [2 3] edge [3 4] edge [2 4]) 

( clique [1 2] clique [1 3] clique [1 4]) 

( clique [2 2] clique [2 3] clique [2 4]) 

( clique [3 2] clique [3 3] clique [3 4])) 

> ; 

color [1 1] color [1 2] GROUP NODES ; 

clique [1 1] clique [1 2] clique [1 3] GROUP CLIQUE ; 

-edged 2] -color [1 1] -color [2 1] GROUP NODES COLOR ; 

-clique [1 1] -clique [2 1] GROUP NODES CLIQUE ; 

-clique [1 1] -clique [2 2] edged 2] GROUP NODES CLIQUE ; 

This is the version where there is a 3-chquc in a graph of size four, and we are trying to 
use just two colors. The first group is the symmetry over colors alone, the second that over 
the elements of the clique, and the third the symmetry over nodes. The axiomatization is 
identical to that presented earlier. Note that although there is a common symmetry in this 
problem, the axiomatization obscures that in some sense, since we have only included the 
relevant symmetry or symmetries in any particular axiom. 

Times to solution for ZAP and zChaff are shown in Figure 12. As might be expected, 
zChaff is scaling exponentially; zap appears to be scaling as n^'^. In order to allow the 
data to be presented along a single axis, these problem instances were selected so that the 
clique size was one smaller than the graph size. 

Figure 13 shows the number of nodes expanded by the two systems. Once again, the 
number of nodes expanded by zChaff is growing exponentially with problem size, while 
the number expanded by zap is growing polynomially. As with the pigeonhole problem. 
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Figure 12: CPU time for clique instances, ZAP and zChaff 



we see that the short proofs whose existence is guaranteed by the theory can be found in 
practice. 

Figures 14 and 15 display ZAP's performance on a somewhat wider range of problem 
instances where the clique and graph sizes are allowed to vary independently. The number 
of nodes expanded was in general 

(c + gf - 13c - 5 + 14 

2 

where c is the size of the clique and g the size of the graph. There were a handful of outliers, 
most notably the c = ll,5f = 13 instance which expanded a larger number of nodes. The 
other exceptions all expanded fewer nodes. 

With regard to total CPU time (Figure 15), the time appears to be scaling as {cg)^'^^ . 
Once again, c = 11, g' = 13 is an outlier but polynomial performance is observed generally. 
To the best of our knowledge, zap is the first system to exhibit polynomial performance on 
this problem class; as we have remarked, most other approaches have been proven to scale 
exponentially. 

10.4 Related Work 

Finally, we compare our experimental results to those obtained using other systems that 
attempt to exploit problem structure to improve the performance of satisfiability solvers. 
This section provides a high-level summary of experimental results for a number of these 
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Figure 13: Nodes expanded in the clique problems 



efforts and compares these results with ZAP on the benchmark problems described in the 
previous sections. 

Recall that our benchmark problems are all highly structured, but each has a very dif- 
ferent type of structure. Theoretically, these problems all allow polynomial-time solutions, 
but they are provably hard for conventional solvers. A solver that solves all of these prob- 
lems efhciently has the ability to exploit a range of different types of problem structure 
and automates a strong proof system. Of course, to be interesting, a solver must also be a 
practical general purpose solver. For example, Tseitin problems can be solved in polynomial 
time by a form of Gaussian elimination (Schaefer, 1978), and pigeonhole problems can be 
solved in polynomial time by a linear programming method such as the simplex method. 
However, neither of these solutions constitutes a practical general purpose solver. 

We ran a number of solvers on the benchmark problems, obtaining the following results: 
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Figure 14: Nodes expanded in the clique problems 

Rather than presenting numerous graphs, we summarize our results above, simply re- 
porting the overall scaling of each solver on each problem class. Polynomial-time scaling is 
indicated with a P and exponential-time scaling with an E. Scaling is shown for the three 
problem classes we have discussed, with two separate encodings considered for the Tseitin 
problems. The first encoding is the Booleanization of the encoding of Section 10.2; the 
second involves the introduction of new variables to reduce clause length and is described 
below. If the performance is improved by this introduction, the new scaling is given par- 
enthetically. The final two rows give known proof complexity results for the resolution 
and cutting-planes proof systems and thus provide lower bounds on the corresponding rows 
above them. 

Reducing performance results to exponential or polynomial scaling omits valuable in- 
formation. Clearly the difference between n^^^ and scaling is something we care about, 
although both are polynomial. The details of specific scaling factors will be included in the 
discussion that follows; our goal in the table is merely to summarize the strength of each 
solver's underlying proof system. 

Details of the solvers appearing in the table are as follows: 

• PBCHAFF is a pseudo-Boolean version of the DPLL algorithm. It represents problems 

in pseudo-Boolean form and automates a cutting-planes proof system. The cutting- 
planes proof system allows polynomial-length proofs of the pigeonhole problem and 
PBCHAFF is able to solve these problems efficiently. Scaling for PBCHAFF on pigeonhole 
instances was as n^'^, where n is the number of pigeons. This is an improvement over 
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Figure 15: CPU time expended in the clique problems 

the n^'^ scaling seen for ZAP. However, the performance of pbchaff on Tseitin and 
clique coloring problems is exponential, since cutting-planes inference is not able to 
capture and exploit the structure of these problems. 

• EQSATZ (Li, 2000) and MARCH_EQ (Heule Sz van Maaren, 2004) are DPLL-based solvers 
that have been modified to incorporate equivalence reasoning, which should enable 

them to solve parity problems efficiently. As expected, both EQSATZ and MARCH_EQ 
exhibited exponential scaling on pigeonhole and clique coloring problems, since these 
solvers are not designed to recognize the structure of these problems. More surprising 
was the exponential scaling observed for both EQSATZ and MARCH_EQ on our initial 
encoding of the Tseitin problems. 

Eqsatz scales exponentially because it does not recognize the structure present in 
our encoding of the parity problems. This performance can be improved by mod- 
ifying the CNF encoding to reduce its size and make the structure more apparent to 
the solver. Doing so involves the introduction of a significant number of new aux- 
iliary variables, and experimental results for this new encoding are discussed below. 
March_eq does recognize the structure in our original encoding, and solves it during 
a preprocessing phase. The exponential scaling here is due simply to the fact that the 
size of the Boolean encoding is growing exponentially as a function of graph size (see 
Section 10.2). 

14. Li, personal communication (2005). 
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Any parity constraint can be rewritten as a set of parity constraints, each of length at 
most three (Li, 2000). A parity constraint of the form 

Xi + X2 + ■ ■ ■ + Xn = k (31) 

is equivalent to the set of parity constraints 

xi + Ai = k 
^1+0:2 + ^2 = 
A2 + X3 + A3 = 

An-2 + Xn-1 + An-l = 
An— I + Xji = 

Summing over this set of parity constraints gives 

2^1 + 2^2 + • • • + 2^n_i +Xi + ---+Xn = k 

which is equivalent to (31). If the Tseitin encoding from Section 10.2 is translated into 
parity constraints in this way and then converted to cnf, the exponential blowup in the 
size of our existing cnf encoding can be avoided. (It is not clear, however, if resolution can 
then produce a polynomially sized proof of the unsatisfiabiUty of the resulting theory.) 

Eqsatz, march_eq and zap all exhibit improved performance if this new encoding is 
used; these results are shown parenthetically in the Tseitin column of the table. March_EQ 
solves this encoding of the Tseitin problems virtually instantaneously. Eqsatz now sub- 
stantially outperforms zChaff, as reported by Li (2003). The running times for EQSATZ, 
however, remain exponential and the system is unable to solve the instance of size ten 
within 10,000 seconds. The performance of ZAP is improved as well, but the overall scaling 
is unchanged. 

The introduction of new variables is accepted practice for reducing the size of CNF 
encodings, and also has the potential to reduce the length of proofs constructed by solvers. 
Indeed, there are no classes of problems known to be hard for extended resolution, a version 
of resolution in which the introduction of new variables is permitted. In general, however, 
introducing new variables in order to reduce proof length is considered "cheating" from a 
proof complexity perspective; once new variables are introduced, most proof systems are 
essentially equivalent. In addition, no general method for introducing variables is known and 
we know of no implemented system that does so. One advantage of zap is that group-based 
annotations avoid the need for syntactic reworkings of this sort. 

Another approach to solving highly symmetric problems is seen in the solver sSatz (Li, 
Jurkowiak, & Purdom, Jr., 2002). This solver is also based on the DPLL algorithm, and 
accepts as input both a problem in cnf and a set of matrices describing a global symmetry on 
the variables. The global symmetry is then used to partition the set of variable assignments 
into equivalence classes. In addition to the normal pruning techniques used in dpll, search 
can now also be pruned by eliminating any partial assignment that is not minimal under the 
equivalence corresponding to the global symmetry. sSatz scales polynomially on pigeonhole 
problems; however, the class of input symmetry groups allowed by sSatz is currently too 
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limited to be applied to Tseitin or clique coloring problems. It is not clear whether this is 
a limitation that can be overcome as the work matures, which is why we have not included 
sSatz in our table. 

Of all the solvers tested, zap is the only solver to provide efficient solutions on all the test 
problems, and it is the only solver that scales polynomially on clique coloring. Pbchaff 
has better scaling on pigeonhole problems, and MARCH_EQ has better scaling on Tseitin 
problems; however, both solvers exploit a narrowly defined type of problem structure and 
therefore perform poorly in the other domains. The performance of ZAP is also likely to 
improve as the basic group primitives underlying ZAP's procedures are optimized. 

11. Conclusion and Future Work 

Zap represents what appears to be a new synthesis between two very distant fields: compu- 
tational group theory and Boolean satisfiability. From an algorithmic point of view, each of 
these fields is fairly mature and complex, and our synthesis inherits significant algorithmic 
complexity as a result. Our goal in this paper has been to present initial versions of the 
algorithms that a group-based theorem prover will need, and to describe the performance 
of a prototype implementation of these ideas. As we have seen, ZAP easily outperforms 
its conventional counterparts on difficult problem instances where there is group structure 
concealed by the Boolean axiomatization. 

That said, it is important to realize that our results only scratch the surface of what 
zap's underlying representational shift allows. On the Tseitin problems, for example, it 
seems likely that incorporation of more sophisticated set stabilizer algorithms will allow us 
to improve ZAP's performance; the fact that only polynomially many nodes are expanded 
in solving these problems bodes well for the eventual performance of the system. 

Other improvements are also possible. In the pigeonhole and clique coloring problems, 
computational performance is dominated by the O(n^) stabilizer chain computations on the 
groups in question; these groups are products of full symmetry groups. It is well known 
that full symmetry groups arc extremely difficult for the usual stabilizer chain algorithms, 
but in cases such as these it is possible to produce the stabilizer chains directly, taking time 
O(n^) or even O(n^) if the stabilizer chain data structure is modified (Jerrum, 1986). Such 
modifications can be expected to improve ZAP's performance significantly in this domain. 

There is simply too much to do. The above extensions are only the beginning; we also 
obviously need to experiment with ZAP on a wide range of other problem instances. There 
are also two general points that we would like to make regarding future work in this area. 

First, we have left unmentioned the problem of discovering group structure in existing 
clausal databases. The practical impact here would be substantial, for several reasons. It 
would make it possible to apply ZAP directly to problems that have already been encoded 
using Boolean axioms, and it would also make it possible to discover "emergent" group 
structure that only appears after search has begun. As an example, perhaps a symmetry 
exists for a particular problem but is hidden by the existing axiomatization; after a few 
inferences, the symmetry may become apparent but still needs to be noticed. 

Second, and perhaps most important, zap provides us with a very broad stage on which 
to work. Progress in computational group theory can be expected to lead to performance 
improvements in inference; dually, applying ZAP to a wide range of reasoning problems 
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should provide a new set of examples that the computational group theorists can use to 
test their ideas. Lifting heuristics from one area of AI to a group-based setting may make 
analogs of those heuristics available in other, more practical domains. As with all new 
syntheses, it seems reasonable to hope that ZAP will allow ideas from Boolean satisfiability, 
computational group theory and search-based AI to be combined, leading to new insights 
and levels of performance in all of these areas. 
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Appendix A. Proofs 

Procedure 4.1 Given augmented clauses (ci,Gi) and (02,^2), to compute stab(ci, Gj); 

1 c_closurei <— c_closure2 <— c^^ 

2 gjrestrictj <— Gi|c_ciosurei) g-restrictg <— G2|c_ciosure2 

3 Cn ^ c_closurei n c_closure2 

4 g_stabi ^ g_restricti{c'^|, g_stab2 g_restrict2{c'n} 

5 g_int ^ g_stabi|cn H g_stab2|cn 

6 {gi} {generators of g-int} 

7 {^li} ^ {fifj, lifted to g_stabj, {hi} ^ {^j, lifted to g-Staba} 

8 {hi} ^ {^2j|c_closure2-Cn} 

9 return (g_restricti^^ , g_restrict2Cn , {hi ■ ^2i}) 



Proposition 4.2 The result returned by Procedure 4-1 is stab(cj,Gj). 

Proof. We show that every clement of the group returned is a stable extension by showing 
that the generators in line 9 are all stable extensions; recall that the set of stable extensions 
is a subgroup. We show that every stable extension is returned by showing that they can 
all be constructed via the above procedure. 
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For the first claim, we argued in the main text that the elements of g-restrictj,^;^ are 
stable; we must only show that the elements of {In ■ l^i} are as well. For such an element 
u), however, note that uj\ d = = gi and similarly for uj\ 0-2, since ui agrees with 

hi = hi = di on Cn and with hi outside of Cn • Thus hi • is stable. 

For the second claim, suppose that we have a stable extension 00; consider its restriction 

to ^ U C2 ^ . Now on the intersection c-^^ H C2 ^ , 1^ must agree with elements of both G\ 

and G2; call the elements with which it agrees h and h- Restricting h away from the 

intersection to get l^^ we see that there will be some element I of the group generated by 

{hi ■ I'oA that matches w on c?^ n c?^. 

_i G G C G 

Now consider uj -l . This is the identity on C;^ ^ fl C2 ^ . Restricting to either ^ or C2 ^ 

we get an element of Gi or G2 that point stabilizes c^^ n c^^, and all such elements are 

included directly in line 9 of the resolution procedure. It follows that ui ■ is an element 

of (g_restrict]^(^^,g_restrict2(7^), so that 

u G (gjrestrictif;^ , g_restrict2Cn ' " ^2i}) ° 

Procedure 5.3 Given groups H < G, an element t & G, sets c and S, to find a group 
element g = map(G, H, t, c, S) with g E H and c^* H S = 0: 

1 if 4 n 5 7^ 

2 then return FAILURE 

3 ii c = ch 

4 then return 1 

5 a an element oi c~ ch 

6 for each t' in {H : Ha) 

7 do r ^ ma.Tp{G, Ha, ft, c,S) 

8 if r / FAILURE 

9 then return rt' 
10 return FAILURE 

Proposition 5.4 map(G, G,l,c, S) returns an element g G G for which H S = 0, if such 
an element exists, and returns FAILURE otherwise. 

Proof. As we remarked in the main text, we will prove the slightly stronger result that 
inap(G, H, t, c, S) returns an element g & H for which c^* n >§ = if such an element exists. 
The proposition as stated is then the special case t = 1. 

The proof proceeds by induction on the number of elements of c that are moved by 
H. If none are, then either c* fl 7^ and the procedure will return failure on line 2, or 
c* n 5 = and it will return 1 on line 4. 

For the inductive step, assume that H moves at least one point in c. Lines 1-4 don't 
affect the correctness of the procedure at this point, other than to allow an early termination 
if some already fixed point is moved inside of S by t. In the interesting case, we form a 
transversal at line 6. Every element of H can be represented as gt' for some g € Ha and 
t' in the transversal. If some such gt' should be returned as a solution, we know by the 
inductive hypothesis that g will be found by the recursive call in line 7. □ 
Procedure 5.5 Given groups H < G, an element t ^ G, sets c, S and U and an integer 
k, to find a group element g = transport(G, H, t, c, S, U, k) with g E H , c^* (1 S = and 
|cs* nU\< k: 
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1 if 4 n S 7^ 

2 then return failure 

3 if overlap(i/, c, {S U Uf') > k 

4 then return FAILURE 

5 if c = ch 

6 then return 1 

7 a <— an element of c — ch 

8 for each t' in {H : Ha) 

9 do r <— transport(G,iJQ;,t't, 0,5, 

10 if r 7^ FAILURE 

11 then return rt' 

12 return FAILURE 

Proposition 5.6 Provided that r\V\ > overlap(i7, c, y) > \ch n V\ for all h G H, 
transport(G, c, S", ?7, k) as computed by Procedure 5.5 returns an element g & G for which 

n 5 = and riU\ < k, if such an element exists, and returns failure otherwise. 
Proof. As remarked in the main text, |c n (5 U [/")* | = \c* D {S U U)\. But since c* n 5 is 
required to be empty, |c*n(S'UL'")| = |c*n[/"|. The proof now proceeds essentially unchanged 
from that of Proposition 5.4. 

The two conditions on the overlap function are both necessary. We need to know that 
\c^ r\V\ > overlap(ii", c, y) in order to avoid terminating the search early on line 3. We 
need overlap(i7, c, > \ch n V\ to ensure that once wc have fixed every element of c, 
line 3 will identify a failure if |c* fl C/| > so that we don't return successfully on line 6 in 
this case. □ 

Procedure 5.8 Given a group H , and two sets c, V, to compute overlap(iJ, c,V), a lower 
bound on the overlap of and V for any h E H: 

1 m <- 

2 for each orbit W of H 

3 dom^m + msiK{\WnV\-\W -c\,0) 

4 return m 

Proposition 5.9 Let H be a group and c, V sets acted on by H . Then for any h E. H, 
\c^ nV\ > overlap(i?, c, V) > \ch H V\ where overlap is computed by Procedure 5.8. 
Proof. The only subtlety involves the contribution that the fixed points in the clause make 
to the sum. But since each fixed point is in its own orbit, the fixed points contribute either 
1 or to the sum depending on whether or not they are already in V. □ 
Proposition 5.15 Let G be a group acting transitively on a set T, and let c,V Q T. 
Suppose also that {Bi, . . . is a block system for G and that c D Bi ^ for n of the 

blocks in {Bi, . . . , -B^}. Then if b is the size of an individual block Bi and g € G, 

n 1^1 > |c| + {Bi nV)-nb (32) 

Proof. For any g G, there will be a set of n blocks that collectively contain the image c^. 
We can therefore use the usual counting argument. Within those n blocks, c will contain 
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|c| points, and the set V will contain at least (5j fl V) points. But there are only nb 

points available, so the result follows. □ 

Proposition 5.16 If the block system is trivial (in either sense), (32) is equivalent to 

|c^nF| > |rnF| - |T-c| (33) 

Proof. Suppose first that there is a single block. Now n = 1, 6 = |T| and there is only one 
set over which to take the minimum in (32), which therefore becomes 

|c^?nF| > |c| + |rnF| - |r| 
= |rnF|-|r-c| 

If, on the other hand, the block system is trivial in that each point is in its own block, 
then n = |c|, 6 = 1 and 

sr<'° (s,nF) 

is the smallest number of points in V that must be in a set of size n, so 

{Bi^V) = n+\T^V\- \T\ 

Now (32) becomes 

|c^nF| > |c| + |c| + |rn F| - |T| - |c| 
= |c| + |rny| - |r| 
= |rnF|-|r-c| □ 

Proposition 5.17 Let {Bi, . . . , Bk} be a block system for a group G acting transitively on 
a set T . Then (32) is never weaker than (33). 

Proof. Comparing (32) and (33), we see that we are trying to show that 

|c| + {Bi n F) - n6 > |r n y| - |r - c| 

= |c| + |rny| - |T| 

or 

T^f^l {Bi r\V)-nb>\Tr\V\- \T\ 
If there are q blocks in the block system, then this is equivalent to 

(Bi nV)-nb> {Bi nV)-bq 

or 

bq-nb> Eg- {Bi HV) - Sg^ (S, n V) (34) 

But the lefthand side of (34) is the total amount of space in the q — b blocks not included in 
E™™ {Bi n V), and the righthand side is the amount of space used by V within these q — b 
blocks. Thus (34) follows and the result is proved. □ 



514 



ZAP 3: Implementation 



Lemma A.l Let G be a group of permutations, and c a set acted on by G. Suppose also 
that S and U are sets acted on by G. Now if j G G^f.} g E G is any permutation in G, 
then 

|c9 n 5| = la's n s\ 

and 

|cs n ?7| = \cps n u\ 



Proof. This is immediate, since c> = c. □ 

Lemma A. 2 Let G be a group of permutations, and c a set acted on by G. Suppose also 
that S and U are sets acted on by G. Now if k E G^s,U} o.f^d g G G is any permutation in 
G, then 

\c9ns\ = Ics'^nsi 

and 

\c9 r\U\ = |c^*^ n U\ 



Proof. It clearly suffices to show the result for S; U is equivalent. But 

Ic^'^nsi = \c3ns''~'\ 
= |c» n s\ 

where ^ = S because k is in the set stabilizer of S and therefore k^^ is as well (because 
the set stabilizer of S is a group). □ 

Proposition 5.23 Let G be a group of permutations, and c a set acted on by G. Suppose 

also that S and U are sets acted on by G. Then for any instance I of the k-transporter 
problem and any g & either every element of G{c}9G{s,u} is a solution of I, or none is. 
Proof. Combine lemmas A.l and A. 2. □ 

Lemma A. 3 Let G,J < Sjm(Q) where $7 is the (ordered) set and suppose 

t G Sym(r2) satisfies xj = zi for 1 < I < k where k < n. Suppose that we have fixed i with 
i < k and set Z = J{xi,...,xi:}- Suppose finally that 

Zi > mm Ix-^ ' M 

Then no h e Gxi,...,x!,t is the first element of Jh. 

Proof. We cire given tlic existenc6 ofj G Zxi,...^Xi 

_i such that Zi > xf. Consider any h = gt 
with g € Gxj^,...,Xk- Since j S Z, j stabilizes the set {xj, . . . ,Xk}- Since g stabilizes every 
point in this set, it fixes both Xi and xj. Thus xf* = x* and x]^* = xj*, and 

= x\ = Zi> xf = xj'^* 
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On the other hand, for I < i, both g and j fix xi, so that xf = xj^^. Since jgt thus precedes 
gt, gt is not minimal in Jgt. □ 

Lemma 5.26 Suppose that t is the permutation labeling some node Ht of a coset decom- 
position tree at depth k, so that x\ = Zi for i < k and H = Gxi,...,a;j. is the residual group at 

' ' '~ ) 

for any i < k, then no g £ Ht is the first element of JgK . 

Proof. This is a direct consequence of Lemma A. 3. Let p be a permutation in JM,xi,...,xi-i ■ 
Since p fixes every point moved by Gxi,...^Xk, and p also fixes xi, . . . ,Xj_i, it follows that p 
must only permute the remaining points Xi,...,Xk- Thus JM,xi,...,xi-i < -^a;i,...,a;i_i where 
Z is the set stabilizer in the statement of Lemma A. 3, and therefore no y G T is the first 
element of Jg. Since Jg C JgK, the result follows. □ 

Procedure 6.5 Given a set X of pairs {l,g) and a group G, to compute complete(X, G), 
where X \=g complete(X, G) and L(complete(X, G)) = L{X)^ : 

1 y ^ 

2 for each {l,g) € X 

3 do for each I' e P - L{Y) 

4 do select h eG such that = I' 

5 Y ^Y[J{l',gh) 

6 return Y 



Proposition 6.6 X \=g complete(X, G) and L(coinplete(X, G)) = L{X)'^ . 
Proof. X \=G complete (X, G) because every entry added to Y is clearly G-entailed by 
X. L(complete(X, G)) = L{X)'^ because the entire image of L{X) under G is eventually 
added. □ 

Procedure 6.7 Given groups H < G, an element t ^ G, sets c, S and U, to find 
Transport(G, H, t, c, S, U), a skeletal set of unit consequences for (c, G) given P: 
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1 if overlap(i7, c, ') > 

2 then return (false, 0) 

3 if overlap(i/, c, (S U Uf') > 1 

4 then return (false, 0) 

5 if c = ch 

6 then if c* n [/ = 

7 then return (true, 1) 

8 else return (false, (c* n [/, 1)) 

9 if a pruning lemma can be applied 

10 then return (false, 0) 

11 y ^ 

12 a ^ an element of c — ch 

13 for each t' in {H : Ha) 

14 do {u, V) ^ Traiisport(G, Ha, ft, c, S, U) 

15 if It = true 

16 then return (true, Vt') 

17 else Y ^Yyj{{l,gt')\{l,g) eV] 



18 return (false, F) 

Proposition 6.8 Assume that n 1/| > overlap(i/, c, V) > \ch n V\ for all h ^ H, and 
let Transport (G, c, S, U) he computed by Procedure 6.7. Then if there is a g E G such that 
D S = nU = 0, Transport(G, c, S, U) = (true, g) for such a g. If there is no such 
g, Transport (G, c, 5, f/) = (false, Z), where Z is a skeletal set of unit consequences for 
(c, G) given P. 

Proof. Procedure 6.7 is identical to Procedure 5.27 with k = 1 except for the value re- 
turned. If there is a 5 with n 5 = and fl = as well, (true, 5') will be returned 
on line 7, and this will cause (true, gt') to be returned from the recursive call(s) on line 16 
also. 

If there is no g with cP r\ S = fMJ = 0, then the argument proceeds as usual by- 
induction on the number of points of c moved by H. If none, we know that the correct 
answer is returned on line 8 for the usual reasons; it remains to consider the recursive case 
on line 18. We know that for every g such that is unit, wc will accumulate a result from 
that g' that is minimal in JgK where J = Gs^^} ^ = ^{S,U} ^ usual. We only need to 
show that the set of {l,g) collected is indeed a skeletal set of unit consequences. 

To see this, suppose that {l,g) is any annotated unit consequence. Then there is some 
minimal jgk that will be accumulated when the set of pairs is accumulated on line 17, with 
the associated literal I' = c'^'' n U. But since j € G^^.} set stabilizes the clause c, = c 
and I' = cP^ f\ U. Thus taking the given k G G{^s,u} produces the given unit consequence 
from the element of the proposed skeleton, and Y as returned by Procedure 6.7 is indeed a 
skeletal set of unit consequences. □ 

Proposition 6.9 Let (c, G) he an augmented clause corresponding to a cardinality con- 
straint. Then for any sets S and U , Procedure 6. 7 will expand at most a linear number of 
nodes in finding a skeletal set of unit consequences of (c, G) . 
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Proof. If the original cardinality constraint was 

xi H 1- Xm > n 

then G will be Sym(X) where X is the set of Xi and c will be 

Xi V ■ ■ ■ V Xm-n+l 

We will first show that Leon's pruning lemma 5.24 suffices to reduce the search to 
quadratic size. The basic idea of this part of the proof is as follows. 

Suppose that we are expanding a particular node, corresponding to the selection of 
an image for a point Xi in c. If the image of Xi is selected to be in S", we can prune 
immediately. If the image is selected to be in either U or X — S — U, the image will have to 
be the smallest available point in the set in question for lexicographic reasons. In addition, 
the original symmetry on the literals in c can be used to require that the literals that are 
neither satisfied nor unvalued are selected "in order" during the expansion. 

To make this argument formally, note first that J = G^(.y = Sym(c) x Sym(X — c) and 
K = G^s,U} = Sym(S') x Sym(C/) x Sym(X — S — U). We assume without loss of generality 
that the points fixed in the coset decomposition tree are the Xj in order for i < m — n + 1, 
and will continue to denote the fixed image of Xi at any particular search node by Zj. We 
denote by F the sequence of all Zi for i less than the depth of the node in question, so T is 
the fixed part of the image of the clause c. We also set I = \X — S — U\, the total number 
of points that are valued but unsatisfied. 

We can now prune any node for which: 

1. r n S 7^ 0. These nodes can be pruned because the image of c meets the set S of 
satisfied literals. 

2. |r n U| > 1. As above, these nodes will be pruned because the image of c includes two 
or more unsatisfied literals. 

3. r = (yi, ...,yj,u), where each yi G X — U — S, and u € U is not minimal in U. 

Leon's lemma 5.24 with k = I requires that u = zj+i < min(u^^i' "'^-' ). But since all of 
the Ui are outside of U , Ky^^^^^^y. > Sym(C/) and all of U. Since u is assumed 

nonminimal in U, the node can be pruned. 

4. r n (X — S — U) = (yi, . . . , yj), where yi, . . . , yj_i are the first j — 1 elements 
of X — U — S and are in order, but yj G X — U — S is not the next element of 

X — U — S. An argument identical to that in the previous paragraph can be used, since 
-f^2/i,...,2/j_i includes the full symmetry group on the remaining elements oi X — U — S. 

It follows from this that the only unpruned nodes in the search are those for which either 
r = (j/i, . . . , Uk) for k < min(Z, m — n + 1), or 

r= {yi,---,yj,u,yj+i,...,yk) (35) 

for k < min(/,m — n), u the minimal element of U, and the yi the smallest elements of 
X — U — S in order. We need k < I because there are only that many possible y values, 
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and k<m — n + 1 or k<m — n because that is the depth of the tree when the clause c 
has been completely instantiated. There is a linear number of nodes of the first type but a 
quadratic number of nodes of the second. 

To reduce the total number of nodes being searched to linear, we repeat the argument 
used in the discussion of the example following Lemma 5.26. There, we considered a node 
where the image of xi was zi and that of ,T2 was Z2, with zi > Z2- Here, we consider a 
slightly more general case, where T = {zi, . . . , Zk-i,Zk), with all of the Zi in sequence except 

Zk-l > Zk- 

In Lemma 5.26, Gxi,...,xk will the full symmetry group on the remaining Xi, so that 

M = {xk+i, Xm}- Wc also have J = Sym(a;i, . . . , x^-n+i) x Sym{xm-n+2, • • • , Xm)- 
Now since k < m — n + 1, taking i = k — 1 in the statement of the lemma gives us 

JM,xi,...,xi-i = JM,xi,...,xk-2 ^ Sym(xjfc_i,Xfe) 

As a result, 

(Xk-lXk)-t t 

Zk-l > Xlf^ = 4 = Zk 

and the node can be pruned. 

This fixes u's position in the list to be at the point where it is in sequence among the 
yi and thus reduces the number of search nodes to linear. □ 

Proposition 7.8 Suppose that W is a watching set for C under P and I is a literal. Then: 

1. W is a watching set for C under any backtrack point for P. 

2. If C is settled by {P, I) , then W is a watching set for C under (P, I) . 

3. If C is settled by {P,l), and \{W - {^l}) n C n U{P^c)\ > 1, then W - {^1} is a 
watching set for C under {P, I) . 

4- If ^l n C , then W is a watching set for C under {P, I). 

Proof. None of these is hard. First, note that if P' is a backtrack point for P, then P!^^ 
will be a subassignment of P-,c, so a watching set for C under P will also be a watching set 
for C under P'. 

For the second claim, if C is settled by {P,l), there are two possibilities: 

1. If C is unsettled by P (so that the addition of Z to P caused C to be settled), then 

{P,l)^C is a subassignment of P (the subassignment will be proper if P 7^ P). Since 
C is unsettled by P, P-^c = P- Thus C/((P, l)^c) 2 U{P^c), and W is stih a watching 
set. 

2. If C is settled by P, then (P, l)^c = P-.C) and W is once again still a watching set. 

The third claim follows from the second, since W — {-iZ} is assumed to be a watching 
set for C under P. 

For the fourth claim, suppose that Z C and ^/ C. Now C fl U{P) = C n C/((P, I)), 
and W remains a watching set. If Z G C, then C will be satisfied (and therefore settled) 
after I is added to P. So 1^ continues to be a watching set by virtue of the second claim. 
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In the remaining case, & C and C CiU is potentially smaller because is removed 
after I is adjoined to P. But this can only impact the intersection with W if is itself in 
W; otherwise, W will still be a watching set. So W is still a watching set unless is in 
both C and W, which proves the final claim. □ 

Proposition 7.10 Suppose that W is a watching set for {c,G) under P and I is a literal. 
Then: 

1. W is a watching set for (c, G) under any backtrack point for P. 

2. If -il ^ W f} (P , then W is a watching set for (c, G) under {P, I). 

3. If\{WUV)nc9n U{{P,l))\ > l for every g e G such that c^ is unsettled by {P,l), 
then W UV is a watching set for (c, G) under {P, I) . 

4. If\{WUV)nc9r\[U{{P,l))U{S{P)-S{P-))]\ > l for every ge G, then W UV - {-^1} 
is a watching set for (c, G) under (P, I). 

Proof. We know that is a watching set for every instance of (c, G) under P, and use 
Proposition 7.8 to show that each of the above claims follows. 

First, Proposition 7.8 states directly that is a watching set for every instance of (c, G) 
under a backtrack point for P. 

Second, if ^/ ^ W H c^, then for any g €^ G, -il ^ W Hc^. The second claim here thus 
follows from the fourth claim in Proposition 7.8. 

The remaining two claims are more interesting. For the third, suppose that is some 
instance of (c, G). Now if is settled by {P, I), then we know that W will still be a watching 
set for it under {P, I). Therefore U y will also be a watching set for under {P, I). If 
is unsettled by {P,l), the condition of this claim says that \{W U n c^^ n U{{P,l))\ > 1, 
so that W UV is a watching set for under {P,l). This completes the proof of the third 
claim. 

For the fourth and final claim, there are three cases. 

1. If c» is unsettled by (P, I), note first that cfi fl S{P) = 0, so that 

{wuv)nc'^n [U{{P, l)) u {S{p) - S{P-))] = {wuv)nc^ n c/((p, l)) 

and ly U F is a watching set for under (P, I). Since -iZ U{{P, I)), 

{wuv)nd'n u{{p, i)) = {wuv- {^i}) n c» n c/((p, i)) 

and W UV — {-■/} is a watching set as well. 

2. If is unit under {P,l), consider: 

(a) If -iZ c^, then we know from the fourth claim of Proposition 7.8 that is a 
watching set for under (P, Z). It follows that W — {-iZ} must be as well, since 
^Z ^ c9. Thus so is U y - {^Z}. 
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(b) If -il e c^, must be of the form 

c^' = xi V • • • V Xfc V ^/ V n 

for the new unit consequence u, where no G S{P). Note also that —^l cannot 
be in either U{{P,l)) or S{P). Thus 

cfn[U{{P,l))U{S{P)-S{P^))] = {u} 

in violation of the premise of the claim. 

3. Finally, if is satisfied by {P, I), we know that W (and therefore M^UF) is a watching 
set for under (P, I) ; the trick is to show that we can remove ->/ from I^ U F safely. 
If -il ^ c^, then we can obviously do so. 

If -^l e c^, we need to show that the third claim of Proposition 7.8 can be applied, so 
we need to show that 

\{wuv-{^i})r\(fr\U{P-^ca)\>i (36) 

Given the assumption that 

\{wuv)n(^ n[u{{P,l))u{S{P)-S{P-))]\ > i (37) 

note first that since -il ^ U{{P, I)) U {S{P) — S{P-)), -il is not in the intersection of 

(37) , which is therefore equivalent to 

\(wuv- {-/}) n n [U{{P, i)) u iS{P) - 5(p_))]| > i 

It follows that (36) will follow if we can show that 

UiP^c9) ^ U{{P, 0) U {S{P) - S{P-)) (38) 

But 

U{P^c^)^U{{P,l)) (39) 
because P-,cs is a (proper) subassignment of {P, I) . And we also have 

U{P^c^) D U{P-) D S{P) - S{P.) (40) 

The first inclusion holds because since € and is satisfied by (P, Z), must have 
been satisfied by P as well. Thus P-,c involves a backtrack from P, and since P_ is the 
last backtrack point before P, P-,cs is a subassignment of P_ and U{P^cs) 2 U{P-). 
The second inclusion in (40) holds because the literals that arc satisfied in P but not 
in P must necessarily have been unvalued in P_. Combining (39) and (40) gives us 

(38) , and the result is proved. □ 

Procedure 7.11 Given a group H, two sets c,V acted on by H, and a hound k > 0, to 
compute overlap(P', c, F, fc), a collection of elements of V sufficient to guarantee that for 
any h & H, \(^ r\V\ > k, or if no such collection exists: 
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1 m ^ 

2 W ^0 

3 for each orbit X of H 



4 do {Bi, . . . , Bk} ^ & minimal block system for W under H for which 

cOW ^ Bi for some i 

5 A=\cnX\+mm{Bir]V) -\Bi\ 

6 if A > 

7 then m m + A 

8 w ^wu{xnv) 

9 if m > 

10 then return W 



11 return 

Proposition 7.12 Procedure 7.11 returns a nonempty set W if and only if Procedure 5.19 
returns a value in excess of k. In this case, \c^ r\W\ > k for every h & H. 
Proof. For the first claim, we examine the two procedures. It is clear that Procedure 7.11 
returns as soon as Procedure 5.19 concludes that the minimum overlap is greater than k; 
we need simply argue that W will be nonempty. But each increment to W in line 8 must 
be nonempty, since ii X OV = 0, A will be zero on line 6. 

For the second part, imagine replacing V in the procedure with the set W returned. 
The computation will be unchanged at every step, so the conclusion follows. □ 

Procedure 7.13 Given groups H < G, an element t ^ G, sets c, S and U , and op- 
tionally a watched element w, to find Traiisport(G, iJ, i, c, 5, C/, ly), a skeletal set of unit 
w -consequences for (c, G) given P: 
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1 if w is supplied and w c 

2 then return (false, 0, 0) 

3 V ^overla.-p{H,c,S*~\0) 

4 if y 7^0 

5 then return (false, 0, 0) 

6 y ^ overlap(ii", c, (5 U C/)*"' , 1) 

7 if y 7^ 

8 then return (false, 0, F*) 

9 if c = Cij 

10 then if c* n [7 = 

11 then return (true, 1, 0) 

12 else return (false, (c*nC/,l),0) 

13 if a pruning lemma can be applied 

14 then return (false, 0, 0) 

15 a ^ an element of c — ch- If w is supplied and w ^ c\j, choose a so that G . 

16 y ^ 

17 W^0 

18 for each t' in (if : Ha) 

19 do (n, y, X) ^ Traiisport(G, Ha, ft, c, S, U, w) 

20 if u = true 

21 then return (true, Vt' , 0) 

22 else W^WUX 

23 Y^YU{{l,gt')\{l,g)eV} 

24 return (false, Y, W) 

Proposition 7.14 Suppose that overlap(iI, c, F, A;) is computed using Procedure 7.11, or 

otherwise satisfies the conclusion of Proposition 7.12. Then if there is a g ^ G such that 
w € c^ and c^ f] S = c^ (lU = 0, Transport(G, c, S, C/, as computed by Procedure 7.13 
returns (true, g, 0) for such a g. If there is no such g, Procedure 7.13 returns (false, Z, W), 
where Z is a skeletal set of unit w-consequences of (c, G) given P, and W is such that 
\y\rG{s,u,{w}} n c'* n [/| > 1 for every h e H such that w ^ c^ and is unsettled by P. 
Proof. The restriction to permutations g for which w & c^ is enforced by the first two 
lines of the procedure; note that if a contradiction is found on line 11, all of the points 
in c will have been fixed, so u; G for certain. Note that we can prune on this basis 
without affecting the overall correctness of the procedure, since the pruning lemmas have 
been restricted to the group K = G^s,u,{w}}j which leaves the watched literal w intact. 

The only other difference between Procedure 7.14 and Procedure 6.7 involves the com- 
putation of the set W of watched literals. When this set is produced on line 8, we know 
from Proposition 7.12 that the set W is sufficient to guarantee that \W H c^^ H U\ > 1 for 
every c'** in the current residual search tree. We must therefore show than any h satisfying 
the conditions in the proposition is covered by . To see this, we consider every 

point at which a node is pruned in the procedure, and show that all such points are covered 
by the exclusions in the statement of the proposition: 

1. A prune at line 2 will only occur if u; ^ c'** for any h E H. 
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2. A prune at line 5 will only occur if c fl 5 7^ for every h & H, so that c is settled 
by P. 

3. If a pruning lemma is applied, it must be because an eventual solution g can be shown 
not to be minimal in the usual double coset G^^ygG^g u^^yj. But in this case, the 
watching set itself is operated on with G^s,u,{w}} the statement of the proposition 
itself. □ 

Procedure 7.16 (Unit propagation) To com,pute Unit-Propagate(C, P, L) where C 
is a set of watched augmented clauses, P is an annotated partial assignment, and L is a set 
of pairs {l,r) of literals I and reasons r: 

1 while L 7^ 



2 do (Z, r) <— an element of L 

3 L^L-{l,r) 

4 P^{P,{l,r)) 

5 for each ((c,G),H") G C 

6 do If ^leW 

7 then (r, H, V) ^ Transport(G, c, S{P), U{P),^l) 

8 if r = true 

9 then li ^ the literal in with the highest index in P 

10 return (true, resolve((c^, G), c^)) 

11 H' ^ complete{H, G^s{P),U{P),{l}}) 

12 for each h e H' 

13 do z ^ the literal in c'* unassigned by P 

14 if there is no {z, r') in L 

15 then L ^ L U (z, c^) 

16 w ^wu {u{P) n v'^is(p).u(p),{i}}) 

17 U ^ U{P) U {S{P) - S{P^)) 

18 if = A transport(G, c, 0, n U, 1, -^l) = FAILURE 

19 then W - 



20 return (false, P) 

Proposition 7.17 Let P he an annotated partial assignment, and C a set of watched 
augmented clauses, where for every ((c, G), W) E C,W is a watching set for (c, G) under P. 
Let L he the set of unit consequences of clauses in C . If Unit-Propagate(G, P, L) returns 
(true,c) for an augmented clause c, then c is a nogood for P, and any modified watching 
sets in C are still watching sets under P. Otherwise, the value returned is (false, P) and 
the watching sets in C will all have been replaced with watching sets under P. 
Proof. This is really just a matter of assembling the pieces. Procedure 7.16 is essentially 
a loop through the literals in L, much like the original procedure 2.7. For each such literal 
I, we find all the unit clauses that contain / by an appropriate call to Transport for each 
clause where I is watched. If the Transport call reveals the presence of a contradiction, we 
return the resolvent of the reasons for I and for as usual. If no contradiction is found, 
we adjust the partial assignment as in Procedure 2.7, add the new unit consequences to 
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the list of what remains to be analyzed, and update the watching set in accordance with 
Propositions 7.10 and 7.14. 

The only remaining issue is the removal of —^l from the watching set W in line 19 of 
Procedure 7.16. We do this precisely when the fourth claim in Proposition 7.10 can be 
applied. Note that in the call to transport, we use U{P) instead of U{{P,l)), since I has 
already been added to P in line 4. We also require that be in the instance c^, since 
otherwise the intersection with will obviously be unaffected by the removal of -^L □ 
Lemma 8.3 If ci C C2 are two nogoods for P, then ci <p C2- 

Proof. This is immediate. As soon as the last literal in C2 is not in ci (which must happen 
eventually as literals are removed in Definition 8.2), the falsification depth of C2 will exceed 
that of ci . □ 

Procedure 8.4 Suppose we are given two augmented clauses (a, G) and (/3, H) that are 
unit for a partial assignment P = {h, . . . ,ln), with I G a and ->/ G /3. To find a < p -minimal 
l-resolvent of {a, G) and {P, H): 

1 U ■<— {I, -iZ} > literals you can't avoid 

2 <— a 

3 Pf^P 

4 p^[{a\Jp)- U]-^ 

5 while p > 



6 do g traiisport(G, a, {^Ip, ■ ■ ■ , ^In} — U, 0, 0, 1) 

7 transport (iJ, {^Ip, -'In} - U, 0, 0, -•/) 

8 if 5 = FAILURE V /l = FAILURE 

9 then U ^UU {^Ip} 

10 else af <— 

11 /?/ ^ p'' 

12 p^[(afUl3f)~U]'^ 



13 return resolve(aj, 

Proposition 8.5 Suppose that we are given two augmented clauses (a, G) and {P, H) such 
that a and [3 are unit for a partial assignment P, with I € a and -^l ^ (3. Then the value 
returned by Procedure 8.4 is a <p -minimal l-resolvent of{a,G) and {j3,H). 
Proof. We need to show that the procedure terminates, that it returns an Z-resolvent, and 
that the result is <p-minimal. 

To show that ProccdTirc 8.4 terminates, we show that p is reduced on every iteration of 
the main loop. At the beginning of each iteration, we know that 

-^lpe{afV^(5f)-U (41) 

At the end of the iteration, if line 9 is selected, then and /9j are unchanged but -^Ip is 
added to U. This means that (41) will no longer be satisfied, but will still be satisfied for 
-iZj with i > p. Thus p is reduced on line 12. 

If, on the other hand, lines 10 and 11 are selected, we know from the definition of g and 
h on lines 6 and 7 that for any literal with ^l € {^Ip, ■ ■ ■ , ^Ui} ^ U, we have -iZ ^ (a/ U Pf). 
In other words, if ^l € {^Ip, ■ ■ ■ ,^ln}, then -iZ (a/ U /?/) — U. Thus p is once again 
reduced, and the procedure therefore terminates. That it returns a resolvent is clear. 
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To see that the vahic returned is <p-minimal, suppose that gm and hm axe such that 
Q,9m \y phm <cp af\J f3f. We will show that a/ and /?/ cannot be the permutations returned 
on line 13. 

Set z = [(a/ V /?/) - (a^™ V this is the last point included in the / images 

produced by the procedure but not in the m images provided by the hypothetical coun- 
terexample. Since a^"^ V (3^"^ <p af V Pf, the two sets agree for literals with index greater 
than z. 

Since -i/^ € (a/ V /?/), the initial value for p set in line 4 will be at least z; since the 
procedure terminates when p < 0, the final value will be less than z. 

Consider the point in the procedure at which p changes from a value no less than z to one 
that is less than z. If the change is because -^Ip is added to U, then one of the transport calls 
must have failed, so that it is impossible (say) for the image of a to avoid {^Ip, . . . , ^In} — U. 
But we know that af avoids {-iZp+i, . . . , — U. Thus a^"" avoids {-iZp+i, . . . , -iZ„} — U, 
but we are assuming that -iZp ^ a^"*, so traiisport(G/^-,i, a, {^Ip, ■ ■ ■ , ~'ln} — U, 0, 0) should 
have succeeded after all. 

It follows that the change in p must have been in lines 10 and 11. But this is also 
impossible, since the fact that we have successfully managed to avoid -iZ^ contradicts the 
assumption that z = [{af V /?/) - (a^'" V P^"")]"^^ so that -i/^ G a/ V □ 

Appendix B. ZAP Problem Format 

Historically, Boolean satisfiability problems are typically in a format where variables cor- 
respond to positive integers, literals are nonzero integers (negative integers are negated 
literals), and clauses are terminated with zeroes. The DIMACS format precedes the actual 
clauses in the problem with a single line such as p cnf 220 1122 indicating that there are 
220 variables appearing in 1,122 clauses in this problem. 

This numerical format makes it impossible to exploit any existing understanding that 
the user might have of the problem in question; this may not be a problem for a conventional 
Boolean tool (since the problem structure will have been obscured by the Boolean encoding 
in any event), but was felt to be inappropriate when building an augmented solver. We felt 
that it was important for the user to be able to: 

1. Specify numerical constraints such as appear in cardinality or parity constraints, 

2. Quantify axioms over finite domains, and 

3. Provide group augmentations explicitly if the above mechanisms were insufficient. 

Before discussing the specific provisions ZAP makes in each of these areas, we remark 
that each zap input file begins with a list of domain specifications, giving the names and 
sizes of each domain used in the theory. This is followed by predicate specifications, giving 
the arity of each predicate and the domain type of each argument. After the predicates 
and domains have been defined, it is possible to refer to predicate instances directly (e.g., 
in[l 3] indicating that the first pigeon is in the third hole) or in a nonground fashion (e.g., 
in[x y]). 
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Group definition When a group is specified directly, it is assigned a symbolic designator 
that can then be used in an augmented clause. The group syntax is the conventional one, 
with a group being described in terms of generators, each of which is a permutation. Each 
permutation is a list of cycles, and each cycle is a space-separated list of literals. 
An augmented clause that uses a previously defined group is of the form 

clause GROUP groupj^ • • • group„ 

where the (ground) clause is essentially a sequence of literals and each groupj is the 
designator for a group to be used. The group in the augmented clause is then the group 
collectively generated by the groupj's. 

As an example, here is the group-based encoding of the pigeonhole instance involving 
four pigeons and three holes: 

// domain specs 
SORT pigeon 4 ; 
SORT hole 3 ; 

// predicate specs 
PREDICATE in (pigeon hole) ; 

// group specs 

GROUP G < ((in[l 1] in [2 1]) (in[l 2] in [2 2]) (in[l 3] in [2 3])) 

((in[l 1] in [3 1] in [4 1]) (in[l 2] in [3 2] in [4 2]) 

(in[l 3] in [3 3] in [4 3])) // permute pigeons 

((in[l 1] in[l 2]) (in [2 1] in [2 2]) (in [3 1] in [3 2]) 

(in [4 1] in [4 2])) // permute holes 

((in[l 1] in[l 3]) (in[2 1] in[2 3]) (in[3 1] in[3 3]) 

(in[4 1] in[4 3])) > ; 

// group-based encoding 

-in[l 1] -in [2 1] GROUP G ; 

in[l 1] in[l 2] in[l 3] GROUP G ; 

There are two types of domain variables, pigeons (of which there are four) and holes (of 
which there arc three). There is a single predicate indicating that a given pigeon is in a 
particular hole. There is a single group, which corresponds to symmetries over both holes 
and pigeons. 

To generate the group, we use four generators. The first two correspond to the symmetry 
over pigeons, with the first generator swapping the first two pigeons and the second generator 
rotating pigeons one, three and four. (Recall that the permutations (1,2) and (1,3,4) 
generate the symmetry group S4 over the pigeons.) 

The second pair of generators generate the symmetry over holes similarly, with the first 
generator swapping the first two holes and the second generator swapping holes one and 
three. (Once again, (1,2) and (1,3) generate ^3.) 

Turning to the axioms, the first says that the first hole cannot contain both of the first 
two pigeons, and therefore that no hole can contain two distinct pigeons by virtue of the 
group action. The second axiom says that the first pigeon has to be in some hole, and 
therefore that every pigeon does. 
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Cardinality and parity constraints If the group is not specified directly, the general 
form of a ZAP axiom is 

quantifiers clause result 

where the quantifiers are described below. The result includes information about the 
desired "right hand side" of the axiom, and can be any of the following: 

• A simple terminator, indicating that the clause is Boolean, 

• A comparison operator (>, <=, =, etc.) followed by an integer, indicating that the 
clause is a cardinality constraint, or 

• A mod-2 operator (/o2=) followed by an integer m, indicating that the sum of the 
values of the literals is required to be congruent to m mod 2. 

Quantification The quantifiers are of the form 

y{xi,...,xk) 

or 

3{xi, . . .,Xk) 

where each of the Xi are variables that can then appear in future predicate instances. In 
addition to the two classical quantifiers above, we also introduce 

y{xi,...,Xk) 

where the V quantifier means that the variables can take any values that do not cause any of 
the quantified predicate's instances to become identical. As an example, the axiom saying 
that only one pigeon can be in each hole now becomes 

V(pi,p2, h) . -'in(pi, h) V -'in(p2, h) (42) 
Contrast this with the conventional 

'^ipi,P2, h) . -'in(pi, h) V -'in(p2, h) (43) 

For any specific pigeon p and hole h, 

-iin(p, h) V -'in(p, h) (44) 

is an instance of (43) but not of (42). Since (44) is equivalent to -iin(p, h), it is inappropriate 
for inclusion in a pigeonhole formulation. 

The introduction of the new quantifier should be understood in the light of the discussion 
of Section 6.1 of zap2, where we argued that in many cases, the quantification given by V 
is in fact more natural than that provided by V. The V quantification is also far easier to 
represent using augmented clauses, and avoids in many cases the need to introduce or to 
reason about equality. In any event, ZAP supports both forms of universal quantification. 

Here is the quantifier-based encoding of the pigeonhole problem: 
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SORT pigeon 9; 
SORT hole 8; 

PREDICATE inCpigeon hole); 

// quantification-based encoding 
NOTEQ (x y z) -in[x z] -in[y z] ; 
FORALL(z) EXISTS (h) in[z h] ; 

This is the nine pigeon instance. The two axioms say directly that no hole z can contain 
two distinct pigeons x and y (note the use of the MOTEQ or V), and every pigeon z has to be 
in some hole h. This encoding is presumably more intuitive than the previous one. 
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